Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
twE44mm07j.exe

Overview

General Information

Sample name:twE44mm07j.exe
renamed because original name is a hash value
Original sample name:68a5c3157a890d65ae1836ef3794a757d9f1f06559ccf174e7b0e6293ada8925.exe
Analysis ID:1579076
MD5:a3b7b97f81c08c56a79971799b793072
SHA1:400525c81a140beb77c035c95480d40b64496f8e
SHA256:68a5c3157a890d65ae1836ef3794a757d9f1f06559ccf174e7b0e6293ada8925
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • twE44mm07j.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\twE44mm07j.exe" MD5: A3B7B97F81C08C56A79971799B793072)
    • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'twE44mm07j.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2356 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3824 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System User.exe (PID: 1988 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 5236 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 4332 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • System User.exe (PID: 2000 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: A3B7B97F81C08C56A79971799B793072)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
twE44mm07j.exeJoeSecurity_XWormYara detected XWormJoe Security
    twE44mm07j.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      twE44mm07j.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1061b:$s6: VirtualBox
      • 0x10579:$s8: Win32_ComputerSystem
      • 0x12a7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x12b1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x12c2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x12179:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\System User.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x1061b:$s6: VirtualBox
          • 0x10579:$s8: Win32_ComputerSystem
          • 0x12a7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x12b1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x12c2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x12179:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2569926614.000000000301C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.2569926614.00000000030C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x1041b:$s6: VirtualBox
                  • 0x10379:$s8: Win32_ComputerSystem
                  • 0x1287d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x1291a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x12a2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x11f79:$cnc4: POST / HTTP/1.1
                  Click to see the 1 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.twE44mm07j.exe.c50000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.0.twE44mm07j.exe.c50000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.twE44mm07j.exe.c50000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x1061b:$s6: VirtualBox
                      • 0x10579:$s8: Win32_ComputerSystem
                      • 0x12a7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x12b1a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x12c2f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x12179:$cnc4: POST / HTTP/1.1

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\twE44mm07j.exe", ParentImage: C:\Users\user\Desktop\twE44mm07j.exe, ParentProcessId: 7436, ParentProcessName: twE44mm07j.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', ProcessId: 7704, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\twE44mm07j.exe", ParentImage: C:\Users\user\Desktop\twE44mm07j.exe, ParentProcessId: 7436, ParentProcessName: twE44mm07j.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', ProcessId: 7704, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\twE44mm07j.exe, ProcessId: 7436, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\twE44mm07j.exe", ParentImage: C:\Users\user\Desktop\twE44mm07j.exe, ParentProcessId: 7436, ParentProcessName: twE44mm07j.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', ProcessId: 7704, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\twE44mm07j.exe, ProcessId: 7436, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\twE44mm07j.exe", ParentImage: C:\Users\user\Desktop\twE44mm07j.exe, ParentProcessId: 7436, ParentProcessName: twE44mm07j.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", ProcessId: 3824, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\twE44mm07j.exe", ParentImage: C:\Users\user\Desktop\twE44mm07j.exe, ParentProcessId: 7436, ParentProcessName: twE44mm07j.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe', ProcessId: 7704, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:13:32.978800+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.749847TCP
                      2024-12-20T19:13:37.834744+010028528701Malware Command and Control Activity Detected147.185.221.1835710192.168.2.749847TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:13:37.836338+010028529231Malware Command and Control Activity Detected192.168.2.749847147.185.221.1835710TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:13:32.978800+010028528741Malware Command and Control Activity Detected147.185.221.1835710192.168.2.749847TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-20T19:13:37.328246+010028559241Malware Command and Control Activity Detected192.168.2.749847147.185.221.1835710TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: twE44mm07j.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: twE44mm07j.exeMalware Configuration Extractor: Xworm {"C2 url": ["hope-asia.gl.at.ply.gg"], "Port": 35710, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeReversingLabs: Detection: 81%
                      Multi AV Scanner detection for submitted file
                      Source: twE44mm07j.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\System User.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: twE44mm07j.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: twE44mm07j.exeString decryptor: hope-asia.gl.at.ply.gg
                      Source: twE44mm07j.exeString decryptor: 35710
                      Source: twE44mm07j.exeString decryptor: <123456789>
                      Source: twE44mm07j.exeString decryptor: <Xwormmm>
                      Source: twE44mm07j.exeString decryptor: FakeSolara?
                      Source: twE44mm07j.exeString decryptor: USB.exe
                      Source: twE44mm07j.exeString decryptor: %AppData%
                      Source: twE44mm07j.exeString decryptor: System User.exe
                      Source: twE44mm07j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: twE44mm07j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.18:35710 -> 192.168.2.7:49847
                      Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.18:35710 -> 192.168.2.7:49847
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49847 -> 147.185.221.18:35710
                      Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49847 -> 147.185.221.18:35710
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: hope-asia.gl.at.ply.gg
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 147.185.221.18 ports 0,1,3,35710,5,7
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: twE44mm07j.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.twE44mm07j.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.7:49847 -> 147.185.221.18:35710
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: hope-asia.gl.at.ply.gg
                      Source: powershell.exe, 00000009.00000002.1742649472.0000019C6E703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000009.00000002.1742649472.0000019C6E703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: twE44mm07j.exe, System User.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000003.00000002.1459040833.00000184C3331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1582648739.0000028C5D380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713916139.0000019C65D9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000003.00000002.1434515455.00000184B34E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D53A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55F59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1434515455.00000184B32C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE6F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000003.00000002.1434515455.00000184B34E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D53A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55F59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000003.00000002.1466092919.00000184CBA60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1595935692.0000028C65947000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                      Source: powershell.exe, 00000003.00000002.1434515455.00000184B32C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE6F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000003.00000002.1459040833.00000184C3331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1582648739.0000028C5D380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713916139.0000019C65D9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: twE44mm07j.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.twE44mm07j.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC6060C60_2_00007FFAAC6060C6
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC6012900_2_00007FFAAC601290
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC606E720_2_00007FFAAC606E72
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC6017190_2_00007FFAAC601719
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC6020F10_2_00007FFAAC6020F1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC60A9200_2_00007FFAAC60A920
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC60F1480_2_00007FFAAC60F148
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC60F1480_2_00007FFAAC60F148
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC6010A50_2_00007FFAAC6010A5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC6B30E97_2_00007FFAAC6B30E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC6B30E99_2_00007FFAAC6B30E9
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFAAC5D171917_2_00007FFAAC5D1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFAAC5D103817_2_00007FFAAC5D1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFAAC5D20F117_2_00007FFAAC5D20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFAAC5F171918_2_00007FFAAC5F1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFAAC5F103818_2_00007FFAAC5F1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 18_2_00007FFAAC5F20F118_2_00007FFAAC5F20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFAAC5D171919_2_00007FFAAC5D1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFAAC5D103819_2_00007FFAAC5D1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFAAC5D20F119_2_00007FFAAC5D20F1
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 20_2_00007FFAAC5F171920_2_00007FFAAC5F1719
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 20_2_00007FFAAC5F103820_2_00007FFAAC5F1038
                      Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 20_2_00007FFAAC5F20F120_2_00007FFAAC5F20F1
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\System User.exe 68A5C3157A890D65AE1836EF3794A757D9F1F06559CCF174E7B0E6293ADA8925
                      Source: twE44mm07j.exe, 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemsedge.exe4 vs twE44mm07j.exe
                      Source: twE44mm07j.exeBinary or memory string: OriginalFilenamemsedge.exe4 vs twE44mm07j.exe
                      Source: twE44mm07j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: twE44mm07j.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.twE44mm07j.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: twE44mm07j.exe, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: twE44mm07j.exe, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: twE44mm07j.exe, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: System User.exe.0.dr, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csCryptographic APIs: 'TransformFinalBlock'
                      Source: twE44mm07j.exe, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: twE44mm07j.exe, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: System User.exe.0.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: System User.exe.0.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@2/2
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\System User.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
                      Source: C:\Users\user\Desktop\twE44mm07j.exeMutant created: \Sessions\1\BaseNamedObjects\xAXRhxSiuCvWXlAf
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_03
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: twE44mm07j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: twE44mm07j.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: twE44mm07j.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile read: C:\Users\user\Desktop\twE44mm07j.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\twE44mm07j.exe "C:\Users\user\Desktop\twE44mm07j.exe"
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'twE44mm07j.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'twE44mm07j.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\twE44mm07j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: System User.lnk.0.drLNK file: ..\..\..\..\..\System User.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: twE44mm07j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: twE44mm07j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.JqVuYg6hxaBUVcsdVfq2EcFAGccAALAx6cfCplGgUYZBCMgZ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX._9U7OSAq0RXDPzWAZjnggVkY6KqaW8cEJGr3VqC6YPwEJiLQu,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.m5CbZCym8joy9FHkIHwTq3Abm67Rn11rdkK3Mm05MdF6FmPJ,_0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.eBo3ZLkgXek59acgYzOPhGatYL2GzfbBwmHN7fnlTJYIsq4G,_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.qJPD6VozMzwU00SkOvlrAxbO1xXiBnr9CJYEOhfpofh3s4nRMuIi0qdgXAeQfcmp5HrP5QWtcP8mTPYuZNVTSOZxVsA6sB0CE0()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[2],_3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.awtX9wwH9SKzlYTJgmPpqssvVZpVHXTwSNAIlhI0ArefAyH1phkJcYETo4nSdcIpBj9bIoqVMIftQAfrAVj0TglYcljvX3d21W(Convert.FromBase64String(UE0TPOEfEtXYb36upxT4ctn2b3a6f3yd32a9sAIWHZakmlowGwIs0Qb78SQdgpgO3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c System.AppDomain.Load(byte[])
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL System.AppDomain.Load(byte[])
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.cs.Net Code: VtxkYNl9pd3FHB9P1lmdqyYaPJPYBixu3cPG4vqlbJeJCA6B8W8dvvTN3qI4UOkdL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC4DD2A5 pushad ; iretd 3_2_00007FFAAC4DD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC6C2316 push 8B485F93h; iretd 3_2_00007FFAAC6C231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC6C278D push FFFFFFB6h; retf 3_2_00007FFAAC6C27AB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFAAC6C2A59 push FFFFFFB6h; retf 3_2_00007FFAAC6C2A5B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC4CD2A5 pushad ; iretd 7_2_00007FFAAC4CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC5E1A12 pushad ; retf 7_2_00007FFAAC5E1A59
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC5E1A75 pushad ; iretd 7_2_00007FFAAC5E1AB9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC5E23FB pushad ; retf 7_2_00007FFAAC5E2401
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC6B2316 push 8B485F94h; iretd 7_2_00007FFAAC6B231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC4CD2A5 pushad ; iretd 9_2_00007FFAAC4CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAC6B2316 push 8B485F94h; iretd 9_2_00007FFAAC6B231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC4DD2A5 pushad ; iretd 11_2_00007FFAAC4DD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC6C2316 push 8B485F93h; iretd 11_2_00007FFAAC6C231B
                      Source: twE44mm07j.exe, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: twE44mm07j.exe, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: twE44mm07j.exe, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: twE44mm07j.exe, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: twE44mm07j.exe, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: twE44mm07j.exe, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: twE44mm07j.exe, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: twE44mm07j.exe, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: twE44mm07j.exe, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: twE44mm07j.exe, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: System User.exe.0.dr, 7l8EMvCZIQ2S6SCCgLjAUPV321xi9u2lG1TN5rcaiwq3jJZsmcdPp6QQZ4JfjN1Ag3iJhVbD2EMEm6iDuAiqQJORTJjKZlvtxR.csHigh entropy of concatenated method names: 'yLkA7Q6Kyqbf7JvABMuLJlGQe8lXA3ZPaGTzSUgq5myXaKtbYNc1F1R2xNV3eEzAlxyWWPMje4ZJsYtZpjLrVxKSGiuKErxdsn', 'ay9gvxX2nAR4xs0fZMBlmfecS4kM3MYsQmE9WDNd22SUfcckNmdsM5odOJqICEhy0b09DJsHYNjHvYltdHpSlt54GW6CuF8WAB', '_5YcIPTAaHluO4yNnj1vfBwQeeNmkoH8nMKzc2miNJESRx3WzOFaUm6KbQZxYDPbWr6QC3mZ817QCFOLaIzodRe6n9dZY62II0e', 'iM7MRft4gonQkd1M5Ag3RkMRz', 'HtI7DCm94hvxdFS3tcCRfjP0B', '_1eROfC4OTQkqiqLLg1UaTC7I3', '_86uYvfHoynkvtwP3LC7jNqL5l', '_6H35GECqxSX36OMFsHk9b0JI3', 'ivyvL9KeLSbyFYPNQl8bu5OCL', 'f6NSBWBAVbEsBxXbShNY8sAKQ'
                      Source: System User.exe.0.dr, 0fMQz1adjSFKPgcLs2KfNWsL1qDjoRJ254KgG47NkBGFlkHX.csHigh entropy of concatenated method names: 'yh97aflW3Y6Oc6EMOjb8igXrFuDjxnyJ0g4ZgemCPK25C6B0QkVCKz6gXmErE8EFiJzZ0N8KwuSddeiSIei', 'rmFFrLm9tg4sqGbwwV6wTFNfANZqh2jmSbI2T7KIFdXYBS7NZ76YUuWieUDCGxfu2uFIFSqI7qJbnil5WPx', 'JeYM41efdgM3xEeo83K8abrLd3xT9Zka5PUghZeANQraQFGzVzGwZlLjFHekTIjUpXPGUzOHAaa2hss6Ro7', 'jl27VKGuPbY6Vv50dLRBg9PHurocMlRz5UXO3avvvO7g7hGGaRW2xiPqgqgoCagbW6eFOJmnmTsQ9BFvKki'
                      Source: System User.exe.0.dr, Aa9DO6wWMfkvbFA2SI9y58lSPZNgXOk0nlHGYdR5geCe6PSZ.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'rCym4pGH0HfiWYMDkatZ4jDgtzxGrNwDeTdN4AGeR6ampuEWA1uJoNCe2HQqeMQKzjbNL0umb0ads4lHF7iR7rf0fDHQ6fYZv0', 'JnGcaPLk9cEe8ZtNdeKwV2NmbQK9NjtMQBcABUh7rA69kc63UMML6mEBixCWcCQlpNcgcRT7vTtcN98dMooYPV7JU7l3n98uBC', 'za8iXzabtj3LOTES9ZUroK4B7VbEXqHLFSddlabg9rmqfzeJxAwwU5fprAWHSYoqtTdLDLf5wWhhI3vRLVOpCx10SD7ZtcrfHV', 'AxG7nVOUs64ifgghu403q6JlFTkHiMAxg7JlRR7C6BUFS8ABLZGfAPgje1VNGD0I4tt1OhX6t7jmBvnVXZc'
                      Source: System User.exe.0.dr, 3dgQ4sLORTEz8Prkm60ulWACIXjwJ7c6mrCcGNf2MvuZdnTw9FZ0qRPg2U86pBEnH.csHigh entropy of concatenated method names: 'QxFWgAZfropbgmTO2hlzNsLzVeiewHGUSf6EW3Ffo7mQohnn3sFEtKyn58ywLDXZp', 'E7gTS6aZOBUjrnjWkRovirs5GQMP6vDANNiXNCsHM9XKpdpCSi9ySH4h7LWHV17ED', '_5GEPL5zXkhE1GjOHoZ9z63pfIV85JvFLlvj9gixiODSRnurpPHLDzOHVFbEEno2RavWF3fIZEn3SxJ98u2njqTFUddgst4LRcj', 'ltLJ4u6QrOFoSub4MAJVSYuaDhMwbXPSGDBGMy2ZbRxsYrLl16uPhdnTP7agf6Hm1vk8YnSCaVCsMp7KpjatND9rWTQO8huXyA', '_11e6MCzhNjt9fkdjoEPblcMuf6aFCMPVhhBUVA7Yqvey60iT4Z9rQiGfXtUSY21UXDoLmcm6FQzqjjhT443rzH1lHfGBRaJtHO', 'UZ4u6YhLiNmOQFhZub8hA81xnXuvc2Ctomxn0gpupTthP7ZmB0HUwan956IvJfW7zg9wrIOHlikLJ3FTJAQFthekemjXyhQSnf', 'DwGMdcgm3qHTRgmWo7sPJ5n0mnmEW2Fbc5oKL6LmvH2Z8Na3KvToLZPvhJoAOw3kTLi0O0Ocuxf3rowAAP7q2aqOBC16LpYOTX', 'zgdeUfZxN9ppsoOeFNMwd0uvrXzumzUexYDqje8VufRmYDVO4UqBdeQkKXZkwRFlpgusfVbxqelmm0C6pEM5PlxKogt9n60CKN', 'vmcqjfch5uiAiPz2xYdQXmk3uqbYmRKT6dK6XpFJuqu89T7ov0Xj6xsWrH2HieBkeuyBpMScrGzeRWxPDV4NyMWMaDCOXmtZWS', 'psQx6sOJNixtwH4cosuDJVM8w3hj7T7nEmPV7UZ3P0QeICadwisrC4VZPDfXPAwqXopYgZttuwQpzBkWaQ9QBphkKlg1T2YCYC'
                      Source: System User.exe.0.dr, 0z3ZIhpJfhq2njFq0TTjg8sopVsEWVPb24mSwU4g0QL4dxjF7JdE4QOgJ40VPuiaU.csHigh entropy of concatenated method names: 'E7pAEoTZL9Spl2tY5dP9it8wxhZikXrxarMTkvT3bAO1JmNjM4DEjCrAFEf4C84Hc', 'sK1EMIEWy94QUVp8dt4NMb7nE', 'Bq3KY2TNlgepk2nYwWvgaeox4', 'ZATUsFwMG4tcqp3gKEA66w1O0', 'gqFJHjU2OILeYa5BRaqNA1D5k'
                      Source: System User.exe.0.dr, RCU77fvzQI1bW3Vpo5QsIuEOnvacINkd41Sdukon4zQhdO3pwSwv0DKGBQDlkhLcC.csHigh entropy of concatenated method names: '_3S6hTXFysXlTNpxkpMjvWho3Xij3a1thIBgoyfGVtVa8vLSxdMJ4mTU9fHTeTpyaT', 'SH8BPXlVdqfTpfr0dXzAedp0Owyt8vQ5aQMzLkLDknEZIyP3wSWkTb4T9OOH6Rmwt', 'ujmHtkgyBcc340ZUYJd4ZwSHR9s75HBDcR02joVkumogehguuKmJcNwp2ARZ7Y2eU', '_8uLtrjXyCbOf5PZIQ3NOJ4dW6qSMOwuWamF2lDNy5dLn7CpRI4gwrgv5yrFxfx0cG', 'WNpZKzxqLOd7RnJuNXtrbOscx', 'j0O4pInvmClZbk6eGgGhDPkt1', '_27UGHbqGtAnPYozHgin2IxY2o', 'mP1PQHbMcqYgF7rcX92WxSnc7', 'UuSZA9yx6NwCF7bdQBlSE92eY', 'gV9BDwFy83190WOT9KtIpLVbQ'
                      Source: System User.exe.0.dr, VtuFYKkWuY1PI9BLhv1ksGbAvUhLDZmtE93hWySfiP39HcMYveO0HxCdT6CIPx7oMr8o8LBMU51eJGML.csHigh entropy of concatenated method names: 'lV8yfxnNOUZBrm7CCVAOCkMBat7ri85PfdsuSOkvPZ6T1pNFM5pGl9OqquNozdUuZRnBAVVMyRaaAMEB', 'Mgz8VMYXFJgs3CCMy91hlPEh2gWvWXttoNd8pG4xN08KTUwmb3zGeU0ET6YRZMvLwvIqXmPQHoooDm0c', 'pMFZ3PfvjSoGzkxKDTIiEVsgD2oSzxmwy9iQcZIMjWaqwi23XuiTTKhoEu57SkzeNCkbcY2b8FxO5Mvv', 'NH7YFiUOc5O0NSPvuPKD60ETIJxA3xnxfVXgRvMOuDvL2ZGrLviNQ6KOb50AX6b8G4oMPQm6QcuJNFxc', 'XqsUtRgXgobAukbBF3YrZRWuvN7k9mQQ4UTQuwGRKzndvPcxpUcoFtGYOFhERsAzBV0sYIi73FysSCpP', 'ehmlzl9HRbOhC72a5QblVNPKttoeTJGt58GLWCcJwFc9tIA8JMLTR7cC8fo2z59e5Elbdoq3HBIm3JBF', 'cVa88cKP4KxJbWe1wHxvup0fb40DrVPdG6MU4DVPRDtMslX2XHJVQLch5LdVStxVr0K7OWr7ZAvma7g0', '_6n7p7xcfkpxVJHGWtOAgEauvhKq6iFar1EAuBxNmilpE0I6s4OTNZGJI6olsxtYtouxQOyuB1NLvYxsM', 'gdyqhq6UGMGDaSA4E3FKviLXlri68bwhigKwBd09U3mJhDdd8EFiyXjYk7v0Me4p6', 'qBmNnXvTbBv0CeX2VcO6Mx2b2hi1FMYkpC0aLANmj0fjIVVdNBTGzIXF4qZZQC6is'
                      Source: System User.exe.0.dr, stk6so8iK7FJeV1oDN5jkaRBY7Ddrzd4rBzBn9cyxVQm0hI4XGecZHjMpsFUIQ2opBbgNNP4Er2RJQfs.csHigh entropy of concatenated method names: 'qdmDYl4SL5ToIVCygypSkfUIDKPjPBMcg2pWQW1zo5JM2XOuiAwYIwNyAwohiYTUHH7uBG2P6URZDpkm', 'pQuIZJe9VwWfwtXo1n1TM12UVqpO1F6n1SDK5IiQTd5al1uh8JfEfTNYDwRfQPZij33wLq0aUK20cOHm', 'yealjVgbGthaP5FKECWl8KU5CL3QtF9urObvSWHJpwUX0AVS2QILSBuOrVLFBBCV02Wd64qHl5rcj8jj', 'FxMirkENPExtEC31ZL6aSwVo77wVgbeSUnd6fAw4oyPrAkel0j9O2ZgTZqqMSqieMfewjincpK0Vnsyz', 'RvVB9Ejb26XJ1kquvFnq3aQ9DI4Clt6AkQ55Vb1JVjaKGicDYngQj48Lgk5uza6TrlBilvpG9rZbdpZr', 'ojqT7jfklN6efpZt4f9GOK8UlLQQYSyLsWsqLdh7pNleULztIfmvuRjvbiUL5hBghcJHTVixu9AvWaSB', 'LYESWLPlNRB0RjlPBmu0cNDGD3nxTEfomN5rdXs2kjJkJ0rChKYf9a5OY3zH2ws4i2hdhKGIxYwUhAxv', 'sPApCcjEzgyiG1RLXBGyRbJDlQhSTnsCE8FYdrOIqFff4GpLFG35DTBjOoiBOIyRJbopCIzMXppXzf9z', '_4UeQiiQhn5nUGmsfOBWU2l6MQmAdJGc1zZCtsJ3WEBsztv7nnRLNlASY3wLrXt4So1oMMqbwc4Bs5g9l', '_9x2NFSoKL9vLpyXL1ktRXKL7SG847SNgRcdPtdPR8Om2cVboTqKHs6XMueB4gqshuhF7Aia8hNhQel9u'
                      Source: System User.exe.0.dr, kYTFTR8V1K5OKHLJMdR9YLHeADSXXhtlG4Iwp3C4PI51lKEwaKDsnQlE3p7TC5FakkF3rYArzaBF5kPl.csHigh entropy of concatenated method names: 'BVqUoib0qQQlOkJEpWqM9D6mhr8SUDEpFDtzydSqh2w5Oo3DHVMV9mx7q1h0P8J55Ykz6w58o4H7LEC7', 'c31mxOeqgNLubMT2h5AST0IHdPAgEFgZAXyQ8RyaqvvyD0m6iwyKnYPQgsEHgKq4sclbIoCq9ekKmJx5', 'PzZFwBQ0Wo3sWYN9lbVpUjs00MTFAMgL3C6c1M62OH6qp0HyaCykdkRtcktS1lpPGIadK151yf9ll5kP', 'iZ1VpmKAxUZ5MEy03TNnL0O13IynehkTVOmUnOQihopeuYCgPofGAcz3cEjJz62CyozF9AxaBx6FYwVJ', 'k3ndOXrYkQH9liWl9ILv5rTWikaKMUactCNvyGmIoxN6HqIFj24TozibWBtvio1FK5CL9GyeJ8COXdao', 'h4Jxq053KZd14zLY6MGQRcCVHWhC1oUNZ1Dwkh06DyfCoK8BZ41STUKuTNZaIiyOtRLDSnWeyxeuHyx5', 'yE0qpSUDJwJzUcoWRb7RduQfTW8VbkCDON7wafJczZbOxyFxEsahclUEguvWpBZvySnlLbAFbOAaG43o', '_3eZb4qgo9XlZFyEEP6kniOLHeIGoVAwPpp0QNW1Oz6Rdmg32BWCa24cRVDPSwcscPU0AQeTeSoGdorXY', 'VzfEhaqpx7WuM6mKRysSvH9CnwJfaQgLrwFjSXr7Dd8MvmhLq5ucsvUZNIRSyYcbUor0nwBAb5adVWJA', 'Hcxmwgcfvb0Bkd2qCZPrYJ9y8zsB3wzwWROBql1Bs7u2bWnTbpVOqKraOWNdG3emjOJzdqAZG19OKmsU'
                      Source: System User.exe.0.dr, qbP50VaV6GXcwq1MYN7LflNfjGaY1EnTdTMXqhGBe7CwlDFU5DK42dCawqRAoJLP4.csHigh entropy of concatenated method names: 'MXhGTmv46wi5UhuMKLIxDlmzGyV7SGmjknEIYL3cd38rdGgJN0f51QgP9wyn2zklK', 'PsuVaX6vi2YxK2FN82eAyoFLnBPEC3myeciUVh0g4hxrd5hBvKdW4tmkIJfc2rPF5', 'axoHHeKaC9uJqM3UUsG2vc0waW0Pkc4HfWmp7YncVCNKZlNWZoD6sZmdUDCkQ7Le4', 'EqQrwwEuNxMagdr276yhN8uCG2fZ2Im63WLnYY3Xjk8ALtrmRJFaK7urDnQ7U3oZx', 'WhPVdwGxGiASUSwCNVscZFrPhIPtxFVwgmuL3zSkXK90LEZpKgEUSQNukdpXV06tW', 'rrent0ANdMIraUHV8crovUBgoM9R8aVTgf2hwKfWPyItgZlhS0Ah5nmfDHHRbX9nA', 'FtaDGUbc726CncyTgQdVlNgqZTQNlinN5JIKCGsk1QXh1L61c1lGE9lTJBwcMU34z', 'qyQ13OJEfnw6cNJa4AWK3KJFjrbCGz1q7TiPiSrh7sOKMUkQhjQsNCwouKtHvdFzS', '_6c2pg3Gt4EzzUEfWShMSZcLD90vIQcf1K4tDIIFlrYiowtiJaBUYTEn0POAeyxBxL', 'I45LXYxaZ72Yz8T3SQepzItv8kDPDO4byqIBOub6l5OhFWxq5sX0MrBiZzttKiHfT'
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\twE44mm07j.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: twE44mm07j.exe, System User.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\twE44mm07j.exeMemory allocated: 14A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeMemory allocated: 1AFD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 770000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A220000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: BA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A530000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1400000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1AF50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1400000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1AFB0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\twE44mm07j.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\twE44mm07j.exeWindow / User API: threadDelayed 2020Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeWindow / User API: threadDelayed 7801Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5408Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4383Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7046Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2531Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5805Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3762Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6293
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3436
                      Source: C:\Users\user\Desktop\twE44mm07j.exe TID: 2380Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 7046 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep count: 2531 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep count: 5805 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep count: 3762 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1452Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 5332Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 3944Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 3916Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\System User.exe TID: 7920Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\twE44mm07j.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\twE44mm07j.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                      Source: System User.exe.0.drBinary or memory string: vmware
                      Source: twE44mm07j.exe, 00000000.00000002.2576885887.000000001BDA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\twE44mm07j.exeCode function: 0_2_00007FFAAC607A81 CheckRemoteDebuggerPresent,0_2_00007FFAAC607A81
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\twE44mm07j.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'twE44mm07j.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.000000000303B000.00000004.00000800.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2569926614.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.000000000303B000.00000004.00000800.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2569926614.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.000000000303B000.00000004.00000800.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2569926614.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.000000000303B000.00000004.00000800.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2569926614.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: twE44mm07j.exe, 00000000.00000002.2569926614.000000000303B000.00000004.00000800.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2569926614.0000000003078000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                      Source: C:\Users\user\Desktop\twE44mm07j.exeQueries volume information: C:\Users\user\Desktop\twE44mm07j.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\twE44mm07j.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                      Source: C:\Users\user\Desktop\twE44mm07j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: twE44mm07j.exe, 00000000.00000002.2576885887.000000001BE24000.00000004.00000020.00020000.00000000.sdmp, twE44mm07j.exe, 00000000.00000002.2564201023.00000000010E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\twE44mm07j.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: twE44mm07j.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.twE44mm07j.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2569926614.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2569926614.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: twE44mm07j.exe PID: 7436, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: twE44mm07j.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.twE44mm07j.exe.c50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2569926614.000000000301C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2569926614.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: twE44mm07j.exe PID: 7436, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579076 Sample: twE44mm07j.exe Startdate: 20/12/2024 Architecture: WINDOWS Score: 100 40 hope-asia.gl.at.ply.gg 2->40 42 ip-api.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 17 other signatures 2->54 8 twE44mm07j.exe 15 6 2->8         started        13 System User.exe 2->13         started        15 System User.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 44 hope-asia.gl.at.ply.gg 147.185.221.18, 35710, 49847 SALSGIVERUS United States 8->44 46 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 8->46 38 C:\Users\user\AppData\...\System User.exe, PE32 8->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 64 3 other signatures 8->64 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      twE44mm07j.exe82%ReversingLabsWin32.Exploit.Xworm
                      twE44mm07j.exe100%AviraTR/Spy.Gen
                      twE44mm07j.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\System User.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\System User.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\System User.exe82%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        hope-asia.gl.at.ply.gg
                        		147.185.221.18
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          hope-asia.gl.at.ply.ggtrue
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1459040833.00000184C3331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1582648739.0000028C5D380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713916139.0000019C65D9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1434515455.00000184B34E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D53A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55F59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1434515455.00000184B34E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D53A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55F59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000003.00000002.1466092919.00000184CBA60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1595935692.0000028C65947000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1459040833.00000184C3331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1582648739.0000028C5D380000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713916139.0000019C65D9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 00000009.00000002.1742649472.0000019C6E703000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.1946209287.0000022DF6FDE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.micft.cMicRosofpowershell.exe, 00000009.00000002.1742649472.0000019C6E703000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://aka.ms/pscore68powershell.exe, 00000003.00000002.1434515455.00000184B32C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE6F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametwE44mm07j.exe, 00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1434515455.00000184B32C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1506583585.0000028C4D311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1627164367.0000019C55D31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1786574532.0000022DE6F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1786574532.0000022DE7198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            208.95.112.1
                                                            		ip-api.comUnited States
                                                            		53334TUT-ASUSfalse
                                                            147.185.221.18
                                                            		hope-asia.gl.at.ply.ggUnited States
                                                            		12087SALSGIVERUStrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1579076
                                                            Start date and time:2024-12-20 19:11:09 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 45s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:22
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:twE44mm07j.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:68a5c3157a890d65ae1836ef3794a757d9f1f06559ccf174e7b0e6293ada8925.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@20/21@2/2
                                                            EGA Information:
                                                            • Successful, ratio: 11.1%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 118
                                                            • Number of non-executed functions: 7
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target System User.exe, PID 1988 because it is empty
                                                            • Execution Graph export aborted for target System User.exe, PID 2000 because it is empty
                                                            • Execution Graph export aborted for target System User.exe, PID 4332 because it is empty
                                                            • Execution Graph export aborted for target System User.exe, PID 5236 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 2356 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 6936 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 7704 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 7964 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                            • VT rate limit hit for: twE44mm07j.exe

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            13:12:20API Interceptor62x Sleep call for process: powershell.exe modified
                                                            15:03:49API Interceptor97x Sleep call for process: twE44mm07j.exe modified
                                                            21:03:50Task SchedulerRun new task: System User path: C:\Users\user\AppData\Roaming\System s>User.exe
                                                            21:03:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                            21:03:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                                            21:04:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            208.95.112.1YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            dlhost.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                            • ip-api.com/json
                                                            xt.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                            • ip-api.com/json
                                                            roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                            • ip-api.com/json
                                                            147.185.221.18YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              Discordd.exeGet hashmaliciousAsyncRATBrowse
                                                                Discord2.exeGet hashmaliciousAsyncRATBrowse
                                                                  Discord3.exeGet hashmaliciousAsyncRATBrowse
                                                                    7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                      Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                        r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                                          Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                                                            7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                                              1c8DbXc5r0.exeGet hashmaliciousXWormBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                hope-asia.gl.at.ply.ggYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • 147.185.221.18
                                                                                7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.18
                                                                                ip-api.comYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • 208.95.112.1
                                                                                KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 208.95.112.1
                                                                                DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                dlhost.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                • 208.95.112.1
                                                                                xt.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                • 208.95.112.1
                                                                                roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                • 208.95.112.1

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                SALSGIVERUSYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • 147.185.221.18
                                                                                dr2YKJiGH9.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.23
                                                                                KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.24
                                                                                PjGz899RZV.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.24
                                                                                ehxF3rusxJ.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.24
                                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                • 147.184.134.130
                                                                                Client-built-Playit.exeGet hashmaliciousQuasarBrowse
                                                                                • 147.185.221.24
                                                                                PowerRat.exeGet hashmaliciousAsyncRATBrowse
                                                                                • 147.185.221.211
                                                                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, XmrigBrowse
                                                                                • 147.185.221.24
                                                                                msedge.exeGet hashmaliciousXWormBrowse
                                                                                • 147.185.221.22
                                                                                TUT-ASUSYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                • 208.95.112.1
                                                                                KJhsNv2RcI.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                gs7lQa4EuM.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 208.95.112.1
                                                                                file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                                                                • 208.95.112.1
                                                                                DHL_231437894819.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                dlhost.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                • 208.95.112.1
                                                                                xt.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                                                                • 208.95.112.1

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                C:\Users\user\AppData\Roaming\System User.exeYgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Roaming\System User.exe
                                                                                  File Type:CSV text
                                                                                  Category:dropped
                                                                                  Size (bytes):654
                                                                                  Entropy (8bit):5.380476433908377
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):0.34726597513537405
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlll:Nll
                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                  Malicious:false
                                                                                  Preview:@...e...........................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\twE44mm07j.exe
                                                                                  File Type:Generic INItialization configuration [WIN]
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):3.6722687970803873
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                  Malicious:false
                                                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qhsli4h.3er.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0roir41w.alq.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sklbbfr.lb5.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rfouon0.pvm.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bntxsyl.bmq.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vfdem4i.vjz.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4wdzhal2.0lu.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gn21piyt.c0m.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grifoo5k.hof.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hn2adokk.4ah.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzkmjai3.rfb.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5rxe2aq.rzw.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oygxglh0.up2.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1dfg1sv.vsg.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rywkqynh.ate.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzwemszr.ax3.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\twE44mm07j.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 20 19:03:48 2024, mtime=Fri Dec 20 19:03:48 2024, atime=Fri Dec 20 19:03:48 2024, length=83968, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):790
                                                                                  Entropy (8bit):5.088458033114005
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:8/41sh647S1N+2Chyi1Y//f4ILLalSkHZjEjA6NHlyfHOOZACZAzBmV:8gSGu2J9YAlqQARWyAuAtm
                                                                                  MD5:2AAC2B80FFEDA760493BE1495E65B08C
                                                                                  SHA1:3FAD8837E8430B76BC83F88265EB3313A5D6F037
                                                                                  SHA-256:E998B2B56C749AE5EC35E43E7D43E987BD7B56BAB1EDD1AF77611C55AD829D80
                                                                                  SHA-512:ADB08C5ACEA90888E0F924663797CB32D85B0BB5BF1FA2EA9CBFC496E590DEA985E271B2B4786E18DE1378526B7CB1290D35AB9287E9ED1999A45BE78B7513AB
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... ...|.vH.S..|.vH.S..|.vH.S...H........................:..DG..Yr?.D..U..k0.&...&......Qg.*_........S.....H.S......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=.Y]...........................3*N.A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......EW.=.Y.............................(W.R.o.a.m.i.n.g.....l.2..H...Yy. .SYSTEM~1.EXE..P......Yy..Yy............................|..S.y.s.t.e.m. .U.s.e.r...e.x.e.......a...............-.......`....................C:\Users\user\AppData\Roaming\System User.exe........\.....\.....\.....\.....\.S.y.s.t.e.m. .U.s.e.r...e.x.e.`.......X.......536720...........hT..CrF.f4... ....n.....,......hT..CrF.f4... ....n.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                  C:\Users\user\AppData\Roaming\System User.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\twE44mm07j.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):83968
                                                                                  Entropy (8bit):6.0557840174909385
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:S2q2+SuMeXA5gBQsGQ17zcaIcbml5eUwqo/wc/D6X0i3KOOtJHcA+:SV23ua0VKcbml5vje/Zi3FOtJ/+
                                                                                  MD5:A3B7B97F81C08C56A79971799B793072
                                                                                  SHA1:400525C81A140BEB77C035C95480D40B64496F8E
                                                                                  SHA-256:68A5C3157A890D65AE1836EF3794A757D9F1F06559CCF174E7B0E6293ADA8925
                                                                                  SHA-512:967E096C8091968CE0B2D53DFF0632B0CDC34D8B11E34C7F5CE8CEDD853D860F059E51318ECFD564BA0545A4304AFCCC8B4567BE777A2D55BB4C761E91F1F8DA
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: YgJ5inWPQO.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g.................>...........\... ...`....@.. ....................................@.................................d\..W....`............................................................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H........b..........&.....................................................(....*.r...p*. .x!.*..(....*.r...p*. ..A.*.s.........s.........s.........s.........*.r...p*. .+u.*.rV..p*. j...*.r...p*. }&..*.r...p*. S...*.ro..p*. *p{.*..((...*.r...p*. ...*.r...p*. +.).*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rp..p*. ~.H.*.r...p*. ....*.r...p*. ..?.*.rk..p*. ..e.*.r...p*.r...p*.rf..p*.r...p*. ..

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Entropy (8bit):6.0557840174909385
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                  • Windows Screen Saver (13104/52) 0.07%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                  File name:twE44mm07j.exe
                                                                                  File size:83'968 bytes
                                                                                  MD5:a3b7b97f81c08c56a79971799b793072
                                                                                  SHA1:400525c81a140beb77c035c95480d40b64496f8e
                                                                                  SHA256:68a5c3157a890d65ae1836ef3794a757d9f1f06559ccf174e7b0e6293ada8925
                                                                                  SHA512:967e096c8091968ce0b2d53dff0632b0cdc34d8b11e34c7f5ce8cedd853d860f059e51318ecfd564ba0545a4304afccc8b4567be777a2d55bb4c761e91f1f8da
                                                                                  SSDEEP:1536:S2q2+SuMeXA5gBQsGQ17zcaIcbml5eUwqo/wc/D6X0i3KOOtJHcA+:SV23ua0VKcbml5vje/Zi3FOtJ/+
                                                                                  TLSH:6A837D2C77E90525E0FF9BB00DF53222DA39F7636903D65F28C6028A5A27A88CD517F5
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]g.................>...........\... ...`....@.. ....................................@................................

                                                                                  File Icon

                                                                                  Icon Hash:00928e8e8686b000

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x415cbe
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x675D0202 [Sat Dec 14 03:56:50 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  jmp dword ptr [00402000h]
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x15c640x57.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4ce.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x20000x13cc40x13e00528ee319caa70a19f3533d5d7809a2f5False0.6212043042452831data6.119470684687415IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x160000x4ce0x6005a6d0a05bcba0e7566d1b549d8853ad8False0.373046875data3.7105250913853856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x180000xc0x2003552e1651b70f8ed8ebee4005ae3e650False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_VERSION0x160a00x244data0.4706896551724138
                                                                                  RT_MANIFEST0x162e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                  Imports

                                                                                  DLLImport
                                                                                  mscoree.dll_CorExeMain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-20T19:13:32.978800+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.749847TCP
                                                                                  2024-12-20T19:13:32.978800+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1835710192.168.2.749847TCP
                                                                                  2024-12-20T19:13:37.328246+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749847147.185.221.1835710TCP
                                                                                  2024-12-20T19:13:37.834744+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1835710192.168.2.749847TCP
                                                                                  2024-12-20T19:13:37.836338+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749847147.185.221.1835710TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 20, 2024 19:12:19.140594959 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:12:19.260149002 CET8049705208.95.112.1192.168.2.7
                                                                                  Dec 20, 2024 19:12:19.260226965 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:12:19.261163950 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:12:19.380664110 CET8049705208.95.112.1192.168.2.7
                                                                                  Dec 20, 2024 19:12:20.432151079 CET8049705208.95.112.1192.168.2.7
                                                                                  Dec 20, 2024 19:12:20.481139898 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:13:23.364411116 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:23.485049963 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:23.485224009 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:23.924814939 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:24.044410944 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:29.970206976 CET8049705208.95.112.1192.168.2.7
                                                                                  Dec 20, 2024 19:13:29.973718882 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:13:32.978800058 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:33.028280973 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:37.328246117 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:37.448128939 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:37.834743977 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:37.836338043 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:37.956098080 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:13:50.732091904 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:13:50.851871967 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:14:00.561589956 CET4970580192.168.2.7208.95.112.1
                                                                                  Dec 20, 2024 19:14:00.681113005 CET8049705208.95.112.1192.168.2.7
                                                                                  Dec 20, 2024 19:14:04.138191938 CET4984735710192.168.2.7147.185.221.18
                                                                                  Dec 20, 2024 19:14:04.257694960 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:14:19.202981949 CET3571049847147.185.221.18192.168.2.7
                                                                                  Dec 20, 2024 19:14:19.203053951 CET4984735710192.168.2.7147.185.221.18

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 20, 2024 19:12:18.938452005 CET6465553192.168.2.71.1.1.1
                                                                                  Dec 20, 2024 19:12:19.078224897 CET53646551.1.1.1192.168.2.7
                                                                                  Dec 20, 2024 19:13:23.074099064 CET6320153192.168.2.71.1.1.1
                                                                                  Dec 20, 2024 19:13:23.331479073 CET53632011.1.1.1192.168.2.7

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 20, 2024 19:12:18.938452005 CET192.168.2.71.1.1.10x1c39Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                  Dec 20, 2024 19:13:23.074099064 CET192.168.2.71.1.1.10x6166Standard query (0)hope-asia.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 20, 2024 19:12:19.078224897 CET1.1.1.1192.168.2.70x1c39No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                  Dec 20, 2024 19:13:23.331479073 CET1.1.1.1192.168.2.70x6166No error (0)hope-asia.gl.at.ply.gg147.185.221.18A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • ip-api.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.749705208.95.112.1807436C:\Users\user\Desktop\twE44mm07j.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 20, 2024 19:12:19.261163950 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                  Host: ip-api.com
                                                                                  Connection: Keep-Alive
                                                                                  Dec 20, 2024 19:12:20.432151079 CET175INHTTP/1.1 200 OK
                                                                                  Date: Fri, 20 Dec 2024 18:12:19 GMT
                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                  Content-Length: 6
                                                                                  Access-Control-Allow-Origin: *
                                                                                  X-Ttl: 60
                                                                                  X-Rl: 44
                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                  Data Ascii: false


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:13:12:10
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\Desktop\twE44mm07j.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\twE44mm07j.exe"
                                                                                  Imagebase:0xc50000
                                                                                  File size:83'968 bytes
                                                                                  MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2569926614.000000000301C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2569926614.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2569926614.00000000030C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1306411853.0000000000C52000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:13:12:19
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\twE44mm07j.exe'
                                                                                  Imagebase:0x7ff741d30000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:13:12:19
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:13:12:27
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'twE44mm07j.exe'
                                                                                  Imagebase:0x7ff741d30000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:13:12:27
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:15:03:07
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                                                                                  Imagebase:0x7ff741d30000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:15:03:07
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:15:03:22
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                                                                                  Imagebase:0x7ff741d30000
                                                                                  File size:452'608 bytes
                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:15:03:22
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:15:03:48
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                                                                                  Imagebase:0x7ff6c0940000
                                                                                  File size:235'008 bytes
                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:15:03:48
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff75da10000
                                                                                  File size:862'208 bytes
                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:15:03:50
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                  Imagebase:0x20000
                                                                                  File size:83'968 bytes
                                                                                  MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 82%, ReversingLabs
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:15:03:58
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                  Imagebase:0x460000
                                                                                  File size:83'968 bytes
                                                                                  MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:15:04:01
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                  Imagebase:0xcc0000
                                                                                  File size:83'968 bytes
                                                                                  MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:15:04:07
                                                                                  Start date:20/12/2024
                                                                                  Path:C:\Users\user\AppData\Roaming\System User.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                                                  Imagebase:0xdc0000
                                                                                  File size:83'968 bytes
                                                                                  MD5 hash:A3B7B97F81C08C56A79971799B793072
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:24.4%
                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                    Signature Coverage:15.8%
                                                                                    Total number of Nodes:19
                                                                                    Total number of Limit Nodes:1
                                                                                    execution_graph 6327 7ffaac60af41 6330 7ffaac60af7c 6327->6330 6328 7ffaac60afce 6330->6328 6331 7ffaac609838 6330->6331 6332 7ffaac609816 RtlSetProcessIsCritical 6331->6332 6334 7ffaac609962 6332->6334 6334->6330 6323 7ffaac607a81 6324 7ffaac607ace CheckRemoteDebuggerPresent 6323->6324 6326 7ffaac607b3f 6324->6326 6339 7ffaac608bf2 6340 7ffaac6098b0 RtlSetProcessIsCritical 6339->6340 6342 7ffaac609962 6340->6342 6319 7ffaac609da8 6320 7ffaac609db1 SetWindowsHookExW 6319->6320 6322 7ffaac609e81 6320->6322 6335 7ffaac609758 6336 7ffaac609723 6335->6336 6336->6335 6337 7ffaac609902 RtlSetProcessIsCritical 6336->6337 6338 7ffaac609962 6337->6338

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC60A920 Relevance: 2.5, Strings: 1, Instructions: 1205COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 7 7ffaac60a920-7ffaac60e0d3 9 7ffaac60e11d-7ffaac60e125 7->9 10 7ffaac60e0d5-7ffaac60e0e0 call 7ffaac600a40 7->10 11 7ffaac60e19b 9->11 12 7ffaac60e127-7ffaac60e144 9->12 14 7ffaac60e0e5-7ffaac60e11c 10->14 15 7ffaac60e1a0-7ffaac60e1b5 11->15 12->15 18 7ffaac60e146-7ffaac60e196 call 7ffaac60c270 12->18 14->9 21 7ffaac60e1d3-7ffaac60e1e8 15->21 22 7ffaac60e1b7-7ffaac60e1ce call 7ffaac601228 call 7ffaac600a50 15->22 43 7ffaac60eddb-7ffaac60ede9 18->43 29 7ffaac60e1ea-7ffaac60e21a call 7ffaac601228 21->29 30 7ffaac60e21f-7ffaac60e234 21->30 22->43 29->43 38 7ffaac60e236-7ffaac60e242 call 7ffaac60b9c8 30->38 39 7ffaac60e247-7ffaac60e25c 30->39 38->43 48 7ffaac60e25e-7ffaac60e261 39->48 49 7ffaac60e2a2-7ffaac60e2b7 39->49 48->11 51 7ffaac60e267-7ffaac60e272 48->51 55 7ffaac60e2f8-7ffaac60e30d 49->55 56 7ffaac60e2b9-7ffaac60e2bc 49->56 51->11 53 7ffaac60e278-7ffaac60e29d call 7ffaac600a28 call 7ffaac60b9c8 51->53 53->43 63 7ffaac60e33a-7ffaac60e34f 55->63 64 7ffaac60e30f-7ffaac60e312 55->64 56->11 57 7ffaac60e2c2-7ffaac60e2cd 56->57 57->11 59 7ffaac60e2d3-7ffaac60e2f3 call 7ffaac600a28 call 7ffaac60a970 57->59 59->43 73 7ffaac60e355-7ffaac60e3a1 call 7ffaac6009b0 63->73 74 7ffaac60e427-7ffaac60e43c 63->74 64->11 65 7ffaac60e318-7ffaac60e335 call 7ffaac600a28 call 7ffaac60a978 64->65 65->43 73->11 107 7ffaac60e3a7-7ffaac60e3df call 7ffaac607700 73->107 82 7ffaac60e45b-7ffaac60e470 74->82 83 7ffaac60e43e-7ffaac60e441 74->83 90 7ffaac60e492-7ffaac60e4a7 82->90 91 7ffaac60e472-7ffaac60e475 82->91 83->11 85 7ffaac60e447-7ffaac60e456 call 7ffaac60a950 83->85 85->43 98 7ffaac60e4c7-7ffaac60e4dc 90->98 99 7ffaac60e4a9-7ffaac60e4c2 90->99 91->11 93 7ffaac60e47b-7ffaac60e48d call 7ffaac60a950 91->93 93->43 105 7ffaac60e4fc-7ffaac60e511 98->105 106 7ffaac60e4de-7ffaac60e4f7 98->106 99->43 110 7ffaac60e531-7ffaac60e546 105->110 111 7ffaac60e513-7ffaac60e52c 105->111 106->43 107->11 126 7ffaac60e3e5-7ffaac60e422 call 7ffaac60b9f8 107->126 116 7ffaac60e56f-7ffaac60e584 110->116 117 7ffaac60e548-7ffaac60e54b 110->117 111->43 123 7ffaac60e58a-7ffaac60e602 116->123 124 7ffaac60e624-7ffaac60e639 116->124 117->11 119 7ffaac60e551-7ffaac60e56a 117->119 119->43 123->11 156 7ffaac60e608-7ffaac60e61f 123->156 132 7ffaac60e63b-7ffaac60e64c 124->132 133 7ffaac60e651-7ffaac60e666 124->133 126->43 132->43 140 7ffaac60e66c-7ffaac60e6e4 133->140 141 7ffaac60e706-7ffaac60e71b 133->141 140->11 171 7ffaac60e6ea-7ffaac60e701 140->171 147 7ffaac60e71d-7ffaac60e72e 141->147 148 7ffaac60e733-7ffaac60e748 141->148 147->43 154 7ffaac60e77a-7ffaac60e78f 148->154 155 7ffaac60e74a-7ffaac60e775 call 7ffaac600d40 call 7ffaac60c270 148->155 164 7ffaac60e86c-7ffaac60e881 154->164 165 7ffaac60e795-7ffaac60e867 call 7ffaac600d40 call 7ffaac60c270 154->165 155->43 156->43 173 7ffaac60e887-7ffaac60e88a 164->173 174 7ffaac60e948-7ffaac60e95d 164->174 165->43 171->43 175 7ffaac60e93d-7ffaac60e942 173->175 176 7ffaac60e890-7ffaac60e89b 173->176 183 7ffaac60e95f-7ffaac60e96c call 7ffaac60c270 174->183 184 7ffaac60e971-7ffaac60e986 174->184 187 7ffaac60e943 175->187 176->175 181 7ffaac60e8a1-7ffaac60e93b call 7ffaac600d40 call 7ffaac60c270 176->181 181->187 183->43 192 7ffaac60e9fd-7ffaac60ea12 184->192 193 7ffaac60e988-7ffaac60e999 184->193 187->43 201 7ffaac60ea52-7ffaac60ea67 192->201 202 7ffaac60ea14-7ffaac60ea17 192->202 193->11 199 7ffaac60e99f-7ffaac60e9af call 7ffaac600a20 193->199 212 7ffaac60e9db-7ffaac60e9f8 call 7ffaac600a20 call 7ffaac600a28 call 7ffaac60a928 199->212 213 7ffaac60e9b1-7ffaac60e9d6 call 7ffaac60c270 199->213 210 7ffaac60eaad-7ffaac60eac2 201->210 211 7ffaac60ea69-7ffaac60eaa8 call 7ffaac608f50 call 7ffaac60bf38 call 7ffaac60a930 201->211 202->11 205 7ffaac60ea1d-7ffaac60ea4d call 7ffaac600a18 call 7ffaac600a28 call 7ffaac60a928 202->205 205->43 230 7ffaac60eb62-7ffaac60eb77 210->230 231 7ffaac60eac8-7ffaac60eb5d call 7ffaac600d40 call 7ffaac60c270 210->231 211->43 212->43 213->43 230->43 247 7ffaac60eb7d-7ffaac60eb84 230->247 231->43 250 7ffaac60eb86-7ffaac60eb90 call 7ffaac60ba08 247->250 251 7ffaac60eb97-7ffaac60ec3f call 7ffaac60ba18 call 7ffaac60ba28 call 7ffaac60ba38 call 7ffaac60ba48 247->251 250->251 289 7ffaac60ec91-7ffaac60ecb1 call 7ffaac60ba28 call 7ffaac60ba38 251->289 290 7ffaac60ec41-7ffaac60ec90 call 7ffaac6083c8 call 7ffaac60ba58 251->290 300 7ffaac60ed22-7ffaac60ed31 289->300 301 7ffaac60ecb3-7ffaac60ecb7 289->301 290->289 302 7ffaac60ed38-7ffaac60edda call 7ffaac600d40 call 7ffaac600a30 call 7ffaac60c270 300->302 301->302 303 7ffaac60ecb9-7ffaac60ed18 call 7ffaac60ba68 call 7ffaac60ba78 301->303 302->43 303->300
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID: 0-3916222277
                                                                                    • Opcode ID: d37981c6874807d39964d904d10b4e80c11194c9e302e86a88af2dbf30456d93
                                                                                    • Instruction ID: 787d6652a608d07c90d293df5413cdec5d1963a81f48b572d9f526ff706d82b4
                                                                                    • Opcode Fuzzy Hash: d37981c6874807d39964d904d10b4e80c11194c9e302e86a88af2dbf30456d93
                                                                                    • Instruction Fuzzy Hash: 7882B320B1C91A9BFB95EB38D456A79B3D2EF99300F50E579D05ED32C3DD28E8068781
                                                                                    Function 00007FFAAC601290 Relevance: 2.0, Strings: 1, Instructions: 743COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 330 7ffaac601290-7ffaac60170b 333 7ffaac60170d-7ffaac601715 330->333 334 7ffaac60177c-7ffaac601885 call 7ffaac600638 * 7 call 7ffaac600a48 330->334 366 7ffaac601887-7ffaac60188e 334->366 367 7ffaac60188f-7ffaac601906 call 7ffaac6004b8 call 7ffaac6004b0 call 7ffaac600358 call 7ffaac600368 334->367 366->367 382 7ffaac601919-7ffaac601929 367->382 383 7ffaac601908-7ffaac601912 367->383 386 7ffaac601951-7ffaac601971 382->386 387 7ffaac60192b-7ffaac60194a call 7ffaac600358 382->387 383->382 393 7ffaac601973-7ffaac60197d call 7ffaac600378 386->393 394 7ffaac601982-7ffaac6019ad 386->394 387->386 393->394 399 7ffaac6019af-7ffaac6019b9 394->399 400 7ffaac6019ba-7ffaac6019e6 call 7ffaac601038 394->400 399->400 406 7ffaac601a86-7ffaac601b14 400->406 407 7ffaac6019ec-7ffaac601a81 400->407 427 7ffaac601b1b-7ffaac601c59 call 7ffaac600870 call 7ffaac601288 call 7ffaac600388 call 7ffaac600398 406->427 407->427 450 7ffaac601ca7-7ffaac601cda 427->450 451 7ffaac601c5b-7ffaac601c8e 427->451 461 7ffaac601cff-7ffaac601d2f 450->461 462 7ffaac601cdc-7ffaac601cfd 450->462 451->450 458 7ffaac601c90-7ffaac601c9d 451->458 458->450 463 7ffaac601c9f-7ffaac601ca5 458->463 465 7ffaac601d37-7ffaac601d6e 461->465 462->465 463->450 471 7ffaac601d93-7ffaac601dc3 465->471 472 7ffaac601d70-7ffaac601d91 465->472 474 7ffaac601dcb-7ffaac601ead call 7ffaac6003a8 call 7ffaac6009e8 call 7ffaac601038 471->474 472->474 492 7ffaac601eb4-7ffaac601f4d 474->492 493 7ffaac601eaf call 7ffaac601220 474->493 493->492
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CAM_^
                                                                                    • API String ID: 0-3136481660
                                                                                    • Opcode ID: 8f3240e59f74b3f80f7f73d8b7f0dd1e445575493030c5108b66a7ff15a0761c
                                                                                    • Instruction ID: 8a1443d7f7f07ef2c960aee2a27312ebfff063ee763f8e98ddf3a1f81f076e18
                                                                                    • Opcode Fuzzy Hash: 8f3240e59f74b3f80f7f73d8b7f0dd1e445575493030c5108b66a7ff15a0761c
                                                                                    • Instruction Fuzzy Hash: DA32F461B28A0A9BF799E738C459779B7D2FF89300F449579E44FD32D2CE28E8058781
                                                                                    Function 00007FFAAC601719 Relevance: 1.9, Strings: 1, Instructions: 691COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 504 7ffaac601719-7ffaac601750 505 7ffaac601756-7ffaac601780 call 7ffaac600638 504->505 506 7ffaac601f7f-7ffaac601fc6 504->506 516 7ffaac60178c-7ffaac601885 call 7ffaac600638 * 6 call 7ffaac600a48 505->516 517 7ffaac601787 call 7ffaac600638 505->517 547 7ffaac601887-7ffaac60188e 516->547 548 7ffaac60188f-7ffaac601906 call 7ffaac6004b8 call 7ffaac6004b0 call 7ffaac600358 call 7ffaac600368 516->548 517->516 547->548 563 7ffaac601919-7ffaac601929 548->563 564 7ffaac601908-7ffaac601912 548->564 567 7ffaac601951-7ffaac601971 563->567 568 7ffaac60192b-7ffaac60194a call 7ffaac600358 563->568 564->563 574 7ffaac601973-7ffaac60197d call 7ffaac600378 567->574 575 7ffaac601982-7ffaac6019ad 567->575 568->567 574->575 580 7ffaac6019af-7ffaac6019b9 575->580 581 7ffaac6019ba-7ffaac6019e6 call 7ffaac601038 575->581 580->581 587 7ffaac601a86-7ffaac601b14 581->587 588 7ffaac6019ec-7ffaac601a81 581->588 608 7ffaac601b1b-7ffaac601c59 call 7ffaac600870 call 7ffaac601288 call 7ffaac600388 call 7ffaac600398 587->608 588->608 631 7ffaac601ca7-7ffaac601cda 608->631 632 7ffaac601c5b-7ffaac601c8e 608->632 642 7ffaac601cff-7ffaac601d2f 631->642 643 7ffaac601cdc-7ffaac601cfd 631->643 632->631 639 7ffaac601c90-7ffaac601c9d 632->639 639->631 644 7ffaac601c9f-7ffaac601ca5 639->644 646 7ffaac601d37-7ffaac601d6e 642->646 643->646 644->631 652 7ffaac601d93-7ffaac601dc3 646->652 653 7ffaac601d70-7ffaac601d91 646->653 655 7ffaac601dcb-7ffaac601ead call 7ffaac6003a8 call 7ffaac6009e8 call 7ffaac601038 652->655 653->655 673 7ffaac601eb4-7ffaac601f4d 655->673 674 7ffaac601eaf call 7ffaac601220 655->674 674->673
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CAM_^
                                                                                    • API String ID: 0-3136481660
                                                                                    • Opcode ID: 87b71b4568134731040c3dc6e9e9639b49134102a7715e075cd52c02490829cd
                                                                                    • Instruction ID: 29ab95abc05a2914d71477e53f70e71eccfca7f291eebaf8efbd46eb30acde4e
                                                                                    • Opcode Fuzzy Hash: 87b71b4568134731040c3dc6e9e9639b49134102a7715e075cd52c02490829cd
                                                                                    • Instruction Fuzzy Hash: 8D22E461B19A4A9FF799E738C4597B9B7D2FF89300F449579E00ED32D2CE28E8058781
                                                                                    Function 00007FFAAC607A81 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 755 7ffaac607a81-7ffaac607b3d CheckRemoteDebuggerPresent 758 7ffaac607b45-7ffaac607b88 755->758 759 7ffaac607b3f 755->759 759->758
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                    • String ID:
                                                                                    • API String ID: 3662101638-0
                                                                                    • Opcode ID: ff40f23b16679a5a4021bf949c9deb93e1e93b66b9cfba43d374d1debc971846
                                                                                    • Instruction ID: fd752c9826032910ff7ec4865f588db3dea72a63a08b2098defed2664ef0a147
                                                                                    • Opcode Fuzzy Hash: ff40f23b16679a5a4021bf949c9deb93e1e93b66b9cfba43d374d1debc971846
                                                                                    • Instruction Fuzzy Hash: 6A31257190871C8FCB58DF58C88ABE97BE0FF65311F04816AD48AD7252DB34A856CB91
                                                                                    Function 00007FFAAC6060C6 Relevance: .5, Instructions: 473COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1038 7ffaac6060c6-7ffaac6060d3 1039 7ffaac6060d5-7ffaac6060dd 1038->1039 1040 7ffaac6060de-7ffaac6061a7 1038->1040 1039->1040 1043 7ffaac6061a9-7ffaac6061b2 1040->1043 1044 7ffaac606213 1040->1044 1043->1044 1046 7ffaac6061b4-7ffaac6061c0 1043->1046 1045 7ffaac606215-7ffaac60623a 1044->1045 1052 7ffaac6062a6 1045->1052 1053 7ffaac60623c-7ffaac606245 1045->1053 1047 7ffaac6061f9-7ffaac606211 1046->1047 1048 7ffaac6061c2-7ffaac6061d4 1046->1048 1047->1045 1050 7ffaac6061d8-7ffaac6061eb 1048->1050 1051 7ffaac6061d6 1048->1051 1050->1050 1054 7ffaac6061ed-7ffaac6061f5 1050->1054 1051->1050 1056 7ffaac6062a8-7ffaac606350 1052->1056 1053->1052 1055 7ffaac606247-7ffaac606253 1053->1055 1054->1047 1057 7ffaac606255-7ffaac606267 1055->1057 1058 7ffaac60628c-7ffaac6062a4 1055->1058 1067 7ffaac606352-7ffaac60635c 1056->1067 1068 7ffaac6063be 1056->1068 1059 7ffaac606269 1057->1059 1060 7ffaac60626b-7ffaac60627e 1057->1060 1058->1056 1059->1060 1060->1060 1062 7ffaac606280-7ffaac606288 1060->1062 1062->1058 1067->1068 1069 7ffaac60635e-7ffaac60636b 1067->1069 1070 7ffaac6063c0-7ffaac6063e9 1068->1070 1071 7ffaac6063a4-7ffaac6063bc 1069->1071 1072 7ffaac60636d-7ffaac60637f 1069->1072 1076 7ffaac606453 1070->1076 1077 7ffaac6063eb-7ffaac6063f6 1070->1077 1071->1070 1073 7ffaac606383-7ffaac606396 1072->1073 1074 7ffaac606381 1072->1074 1073->1073 1078 7ffaac606398-7ffaac6063a0 1073->1078 1074->1073 1080 7ffaac606455-7ffaac6064e6 1076->1080 1077->1076 1079 7ffaac6063f8-7ffaac606406 1077->1079 1078->1071 1081 7ffaac606408-7ffaac60641a 1079->1081 1082 7ffaac60643f-7ffaac606451 1079->1082 1088 7ffaac6064ec-7ffaac6064fb 1080->1088 1083 7ffaac60641e-7ffaac606431 1081->1083 1084 7ffaac60641c 1081->1084 1082->1080 1083->1083 1086 7ffaac606433-7ffaac60643b 1083->1086 1084->1083 1086->1082 1089 7ffaac606503-7ffaac606568 call 7ffaac606584 1088->1089 1090 7ffaac6064fd 1088->1090 1097 7ffaac60656f-7ffaac606583 1089->1097 1098 7ffaac60656a 1089->1098 1090->1089 1098->1097
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1de447be31454980f93eb570b48090a8a0b16d1083b3066c29ca0e7c0b94542b
                                                                                    • Instruction ID: 99ce15b23e46fe103e6d1853bc6c50234dd08e1950c884848c50f79563f5b257
                                                                                    • Opcode Fuzzy Hash: 1de447be31454980f93eb570b48090a8a0b16d1083b3066c29ca0e7c0b94542b
                                                                                    • Instruction Fuzzy Hash: 0FF19130909A8E8FEBA9DF28C855BE937E1FF55310F04927AE84DC7291CB74D9458B81
                                                                                    Function 00007FFAAC606E72 Relevance: .5, Instructions: 459COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6d54eb61f87519e2810bcd29c51757868c8224432b6a1440db3bf61e7289ca33
                                                                                    • Instruction ID: b0526bb2614f856dc401c289eb9b50a1997499bdd814b0de953fe34ce896abb9
                                                                                    • Opcode Fuzzy Hash: 6d54eb61f87519e2810bcd29c51757868c8224432b6a1440db3bf61e7289ca33
                                                                                    • Instruction Fuzzy Hash: 49E1E370909A4E8FEBA9DF28C8557E977E1EB55311F04C26EE80EC7291DE74E8448BC1
                                                                                    Function 00007FFAAC6020F1 Relevance: .2, Instructions: 208COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d6f07219074893a7721ca3592e3455477d252ade0008fe5aca71f9bd72ae4ebe
                                                                                    • Instruction ID: 9e74c60909273e82df1f636a0b4cc2f1810448edd5c9a4258baa916028f10e4a
                                                                                    • Opcode Fuzzy Hash: d6f07219074893a7721ca3592e3455477d252ade0008fe5aca71f9bd72ae4ebe
                                                                                    • Instruction Fuzzy Hash: B051326161E6C94FE787A7788864675BFD4DF87229B0845FBE0CDC71A3DD08480AC382
                                                                                    Function 00007FFAAC608BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID: L_^
                                                                                    • API String ID: 2695349919-3397556586
                                                                                    • Opcode ID: 109f93d4ed49173a33e69eb601a6773a03fe907dff5d26db6258265c41b754c6
                                                                                    • Instruction ID: 2a5705f0d88c61ef6338186b9047f0ed8f1af799cabf84e7248b2eff28e73d99
                                                                                    • Opcode Fuzzy Hash: 109f93d4ed49173a33e69eb601a6773a03fe907dff5d26db6258265c41b754c6
                                                                                    • Instruction Fuzzy Hash: 9231E27180CA08CFDB28DB69D845BE97BF0FF65311F04412ED08AD3692DB34A856CB91
                                                                                    Function 00007FFAAC609758 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: be806b6e036cd72a7bbb9926facf98fac26d24735c75fe144ff7481e4175f804
                                                                                    • Instruction ID: 8535a421897d81ca0334cc77bf42879acfa443b92c8fd985cbdb17363d644edb
                                                                                    • Opcode Fuzzy Hash: be806b6e036cd72a7bbb9926facf98fac26d24735c75fe144ff7481e4175f804
                                                                                    • Instruction Fuzzy Hash: 6F8124A290E7C19FF756DB68981A2B97FE0FF12210F1890BED0C997193D9249D0AC791
                                                                                    Function 00007FFAAC609838 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 721 7ffaac609838-7ffaac60983f 722 7ffaac609841-7ffaac609860 721->722 724 7ffaac60981c-7ffaac60983f 722->724 725 7ffaac609862-7ffaac609869 722->725 724->722 728 7ffaac60986b-7ffaac609960 RtlSetProcessIsCritical 725->728 729 7ffaac609816-7ffaac609819 725->729 739 7ffaac609962 728->739 740 7ffaac609968-7ffaac60999d 728->740 729->724 739->740
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2695349919-0
                                                                                    • Opcode ID: d1d3b627b9858835192a8d24a2eab9f2337f868e6023310c689186675c069fdf
                                                                                    • Instruction ID: fbd4561196cb82056ac14869f36d7fd7176d836c5b2783c351cabe6b9d48f585
                                                                                    • Opcode Fuzzy Hash: d1d3b627b9858835192a8d24a2eab9f2337f868e6023310c689186675c069fdf
                                                                                    • Instruction Fuzzy Hash: 9D51267180D7858FEB5ADB6C98456A97FE0FF12310F04817ED08A93193DE24A849C791
                                                                                    Function 00007FFAAC609DA8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 742 7ffaac609da8-7ffaac609daf 743 7ffaac609dba-7ffaac609e2d 742->743 744 7ffaac609db1-7ffaac609db9 742->744 747 7ffaac609e33-7ffaac609e40 743->747 748 7ffaac609eb9-7ffaac609ebd 743->748 744->743 749 7ffaac609e42-7ffaac609e7f SetWindowsHookExW 747->749 748->749 751 7ffaac609e81 749->751 752 7ffaac609e87-7ffaac609eb8 749->752 751->752
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID: HookWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2559412058-0
                                                                                    • Opcode ID: 105555961a7ad166c67a33cba898252e9ba70d6dc85b958e8824540f5d6295be
                                                                                    • Instruction ID: af0744490ee4c8c35c4ae8fb08358d4b6e2e0bfacc50224108d78bd428dcbacb
                                                                                    • Opcode Fuzzy Hash: 105555961a7ad166c67a33cba898252e9ba70d6dc85b958e8824540f5d6295be
                                                                                    • Instruction Fuzzy Hash: 30310A7090CA0D9FEB58EB6CD8066F97BE1EB59321F00423ED00ED3292CE65A816C7C1

                                                                                    Non-executed Functions

                                                                                    Function 00007FFAAC60F148 Relevance: .2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9e32c6a2cab0c44acf1b005ac49c8e31cb2df1a8e76460fe4ae06f92019e0585
                                                                                    • Instruction ID: b6ff415192e9c89d98f56dd22ccbfeb3e043e8c25d59ca13510ffbbd2cdb66f7
                                                                                    • Opcode Fuzzy Hash: 9e32c6a2cab0c44acf1b005ac49c8e31cb2df1a8e76460fe4ae06f92019e0585
                                                                                    • Instruction Fuzzy Hash: 9C71EA2054F3C55FE383D338D859AA57F91AF87329F0D81FAE088CA4A3DA99440AC753
                                                                                    Function 00007FFAAC6010A5 Relevance: .2, Instructions: 189COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2583685952.00007FFAAC600000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC600000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ffaac600000_twE44mm07j.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ce70e7923ef9889974f6548978f9e88fa2e6e179e6f70c649c7039d856b2107
                                                                                    • Instruction ID: 446b419242c82a300cdc228f8a1731b204333da554dafdb0addce46cb3aff364
                                                                                    • Opcode Fuzzy Hash: 5ce70e7923ef9889974f6548978f9e88fa2e6e179e6f70c649c7039d856b2107
                                                                                    • Instruction Fuzzy Hash: 5C5104B7A0E0755BE711B7FDB4618E97B20DF46335B0882B7D14ECE1A38D18608986D5

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC6C6605 Relevance: .4, Instructions: 442COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1469057107.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3daa4d4ccebc815b734a3b1dfe1519dd90f802dfd6bc0c40318509f28de58f45
                                                                                    • Instruction ID: 3358984623b79c2ff7a6d18ed4f851e10f9012276e66c19eebca8fd109d38bcd
                                                                                    • Opcode Fuzzy Hash: 3daa4d4ccebc815b734a3b1dfe1519dd90f802dfd6bc0c40318509f28de58f45
                                                                                    • Instruction Fuzzy Hash: AED156B190EB8A9FF797EB6888555B57FE0EF06310B0451BAE04DC70D3DE18E8098396
                                                                                    Function 00007FFAAC5F9EFB Relevance: .2, Instructions: 231COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0db656478b4124530f6bf32421308a813ff67660cd4f41ee92e55137c43502e8
                                                                                    • Instruction ID: d45a38f836064aca919930d3e2221db2666aa6e1388ead7ae8a207b35487ba38
                                                                                    • Opcode Fuzzy Hash: 0db656478b4124530f6bf32421308a813ff67660cd4f41ee92e55137c43502e8
                                                                                    • Instruction Fuzzy Hash: F0711F73D0D78A8FE305EB6CE8660E57B60EF03229B0843F7D48D8A193ED245459D6D5
                                                                                    Function 00007FFAAC4DE380 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468071419.00007FFAAC4DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4DD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac4dd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a457f2bad69eecdd7f83c76feb94225213028aa2341cede37e0279b7c3efd0c
                                                                                    • Instruction ID: 10108764c90640f9c076be021336cabbfcfcf5707c08593e951b09cc5fa34ace
                                                                                    • Opcode Fuzzy Hash: 6a457f2bad69eecdd7f83c76feb94225213028aa2341cede37e0279b7c3efd0c
                                                                                    • Instruction Fuzzy Hash: 7E41057140EBC48FE7569B299845A623FF0EF53314B1501EFD08CCB1A3D625E80AC792
                                                                                    Function 00007FFAAC5F978B Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a12d2bd17924cb51f55010b3fd50d4dcf54fd7ded227b3505f28f327330cfabc
                                                                                    • Instruction ID: b8d1819fa835a2f80f415458ed7f207fe4cfa20aec2be9442d1f37a1474c14f4
                                                                                    • Opcode Fuzzy Hash: a12d2bd17924cb51f55010b3fd50d4dcf54fd7ded227b3505f28f327330cfabc
                                                                                    • Instruction Fuzzy Hash: F731917191CB4C9FDB5C9B5CA84A6A97BE0FB99321F00822FE449D3251CA71A8558BC2
                                                                                    Function 00007FFAAC5FA47C Relevance: .1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 345cf38d8bf93af0c83a3237d392a65fe0a72884042d0bfd2c7da8080ba72b49
                                                                                    • Instruction ID: a55b36998834581d96f2b8759f187053ce9b62bcef5e17d0f721fe3cdb261b2c
                                                                                    • Opcode Fuzzy Hash: 345cf38d8bf93af0c83a3237d392a65fe0a72884042d0bfd2c7da8080ba72b49
                                                                                    • Instruction Fuzzy Hash: DF21283090CB4C8FEB59DBAC984A7E97FF0EB9A320F04416FD049C3152DA74941ACB92
                                                                                    Function 00007FFAAC5F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction ID: 388b182b9b8a72f791742ca75cdd24f4eb8076af8f489a3c1f0acc5c74a7106a
                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction Fuzzy Hash: 9101677115CB0D8FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E882CB45
                                                                                    Function 00007FFAAC6C414D Relevance: .0, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1469057107.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d76ceb055e743a65b896515d9f9dd2b0315b5ca0229575e6cf614da8bdd5a14a
                                                                                    • Instruction ID: 6af6f1f3c9e4d625849179adcf34580a9e814e7001cd55b76ddb53f0bfba5fd4
                                                                                    • Opcode Fuzzy Hash: d76ceb055e743a65b896515d9f9dd2b0315b5ca0229575e6cf614da8bdd5a14a
                                                                                    • Instruction Fuzzy Hash: ADF09A32A0D9058FE75AEB5CE4418B877E0EF5532071250BAE19DC79A3CA25EC44C780
                                                                                    Function 00007FFAAC6C4400 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1469057107.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7671bc8e08702d988c5c5638241047e00f39ea05f5723fbaf792fdfddb2485c5
                                                                                    • Instruction ID: 1ab60ae01187e49049d0b41a0f57f15b559ee1d6ed5d2d3617000c9fe4defe50
                                                                                    • Opcode Fuzzy Hash: 7671bc8e08702d988c5c5638241047e00f39ea05f5723fbaf792fdfddb2485c5
                                                                                    • Instruction Fuzzy Hash: D6F08232A0D5458FE756EB5CE4419B877E0FF45320B5590B6E14DC74A3DA29EC44C790
                                                                                    Function 00007FFAAC6C41D1 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1469057107.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction ID: cd56bf9e85cd2f11ee6483b6a739d072e1f9ad6f753063a18acb2a37adad42aa
                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction Fuzzy Hash: 2AE01A31B0C808CFEA6ADB0CE0409F973E1EB9933171161B7D18EC7962CA22EC559BC0

                                                                                    Non-executed Functions

                                                                                    Function 00007FFAAC5F8995 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                                    • API String ID: 0-2235110077
                                                                                    • Opcode ID: 87c1d7a7dc3b0d34447267b73f55451271bf9057534e5225d57478309259f597
                                                                                    • Instruction ID: 0e04caec0d27b786671b847e6dfec24e5ddc949de56164ab2845e59adc177439
                                                                                    • Opcode Fuzzy Hash: 87c1d7a7dc3b0d34447267b73f55451271bf9057534e5225d57478309259f597
                                                                                    • Instruction Fuzzy Hash: 7D41866295E7C3CFE35B472848691957FA0FF13214B0942FBD088CB4D3EA29544AD3D6
                                                                                    Function 00007FFAAC5F89FA Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000003.00000002.1468510885.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_3_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                                    • API String ID: 0-2235110077
                                                                                    • Opcode ID: ebf2f699bd0b9fc09f484344ef7b285d8e522c886142e02da14d1c93a3c9c433
                                                                                    • Instruction ID: e6046c780d8ee1b36b37048a9b384eaf6389e175a2c685553223f2f2e5dded84
                                                                                    • Opcode Fuzzy Hash: ebf2f699bd0b9fc09f484344ef7b285d8e522c886142e02da14d1c93a3c9c433
                                                                                    • Instruction Fuzzy Hash: 9D31F87295E7C7CFE34B472C48141927B90FF43228B0943FAD0C88A0D3EA249445D2E5

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC6B660A Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X71]
                                                                                    • API String ID: 0-3713933759
                                                                                    • Opcode ID: 6f80f29e469a5b968bd906fbaa0c39b5be3311d81b606b811b5cd2ded2f338ab
                                                                                    • Instruction ID: 296bbbdfbc5823cbf036fd62ceb410d1293336d165a4e429967d0ad7c31d4f1b
                                                                                    • Opcode Fuzzy Hash: 6f80f29e469a5b968bd906fbaa0c39b5be3311d81b606b811b5cd2ded2f338ab
                                                                                    • Instruction Fuzzy Hash: 84C126B191EA8A8FF75AEB688C155B57BE1FF46310B0451BED04DC71D3DE28E8098391
                                                                                    Function 00007FFAAC6B6633 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: X71]
                                                                                    • API String ID: 0-3713933759
                                                                                    • Opcode ID: afb5361e26d0bab159c018edb7c7020be150d9a98169d773cdb44857ae1db598
                                                                                    • Instruction ID: 8b6b95eb33dc8457c53ca5ac4e2f718861950b1d980cafd7edb330fb6ba74493
                                                                                    • Opcode Fuzzy Hash: afb5361e26d0bab159c018edb7c7020be150d9a98169d773cdb44857ae1db598
                                                                                    • Instruction Fuzzy Hash: A38106A695EB868FF79AE7288C516747BE0EF06310B45A0FAD04DCB1D3D918DC0983D2
                                                                                    Function 00007FFAAC5E644D Relevance: .7, Instructions: 731COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1600568699.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fccfeaf2dea243b3c5c1c39b7da21ed5ece0bbd8c5300ec9dceaa1da028cb847
                                                                                    • Instruction ID: 401c107ab1cececcfdf478aa41312814b7dd7b0a95c1764751295e439429f3be
                                                                                    • Opcode Fuzzy Hash: fccfeaf2dea243b3c5c1c39b7da21ed5ece0bbd8c5300ec9dceaa1da028cb847
                                                                                    • Instruction Fuzzy Hash: 88D15D30918A4E8FEB98DF58C455AA97BE1FF69340F14816AE40DD7296CF34E885CBC1
                                                                                    Function 00007FFAAC5E96E2 Relevance: .2, Instructions: 206COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1600568699.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 03ad6431d03fbda2df7a570840ff8fd712e7c443c8d581aaf45d63ffca2cf6cd
                                                                                    • Instruction ID: 5b373a1b499e67be59470a3104b617fe851f31cfedba286f557d803f2ecba00f
                                                                                    • Opcode Fuzzy Hash: 03ad6431d03fbda2df7a570840ff8fd712e7c443c8d581aaf45d63ffca2cf6cd
                                                                                    • Instruction Fuzzy Hash: 9151D87290DB868FF7159B5C68165F97FA0EB57310F08817BE48D87193DA24A84A87C2
                                                                                    Function 00007FFAAC6B4073 Relevance: .2, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fef7cd6d5bd8265f418d648b4addd7d54458adc81b967acd0b9cbf0e376f28b6
                                                                                    • Instruction ID: fd5466e94db14789c3be1408c26c292c32c589481a9c8b24eb8ac95796ee7d0b
                                                                                    • Opcode Fuzzy Hash: fef7cd6d5bd8265f418d648b4addd7d54458adc81b967acd0b9cbf0e376f28b6
                                                                                    • Instruction Fuzzy Hash: BE514D32E4DA468FF79ADB2C485167477D2EF96210B58A0BEC14EC7593DE24EC0983C1
                                                                                    Function 00007FFAAC6B4370 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 065640f710b58f027fda4cdf2cbb8f8c936fdffbf44e4a97968346fbf4577f88
                                                                                    • Instruction ID: 14d4d874a896e3133ff36ec562cc5b3c78bf162982d5eea547252854d79ecf85
                                                                                    • Opcode Fuzzy Hash: 065640f710b58f027fda4cdf2cbb8f8c936fdffbf44e4a97968346fbf4577f88
                                                                                    • Instruction Fuzzy Hash: 59414A32A4EA498FFBA6D76C98416B4BBD1EF46220B0C64FAC14EC7193DD14EC1883C1
                                                                                    Function 00007FFAAC5E9760 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1600568699.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a0a4e649b9e0538331f38f1fec019296e63dd6eba95f2e4f50d287a914ef351
                                                                                    • Instruction ID: 52741fa501f6629b2431c81fdac6d0ac8a080f31d25ea01e0811a7a3717b0cb4
                                                                                    • Opcode Fuzzy Hash: 6a0a4e649b9e0538331f38f1fec019296e63dd6eba95f2e4f50d287a914ef351
                                                                                    • Instruction Fuzzy Hash: 3341E87191DB888FE7189F5C9C065F97FE0FB5A310F04826FE489D3252DA60A855CBC2
                                                                                    Function 00007FFAAC4CEC60 Relevance: .1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1599895778.00007FFAAC4CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac4cd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aa1fad8760a12eb55028f44a54f6602c820c7f0e019a4f7d004d8b976bdb2fba
                                                                                    • Instruction ID: f7bb615aa3591fe4f0bf562091e438bd48f520ab6bfb5e23aa4da32a78507abc
                                                                                    • Opcode Fuzzy Hash: aa1fad8760a12eb55028f44a54f6602c820c7f0e019a4f7d004d8b976bdb2fba
                                                                                    • Instruction Fuzzy Hash: A741F53040EBC48FE7568B2998459523FF0EF57324B1506DFD088CB1A3D629E84AC792
                                                                                    Function 00007FFAAC5EA49C Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1600568699.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a20ad21e5d1d5cfdf9d147408acc7a2e6cf70d64cb607f2f54234b648994c403
                                                                                    • Instruction ID: 8095b754cd6c46ee5eba28af8bf6c2f8a16e4789e890dd6ce6fb583d7bbf5ead
                                                                                    • Opcode Fuzzy Hash: a20ad21e5d1d5cfdf9d147408acc7a2e6cf70d64cb607f2f54234b648994c403
                                                                                    • Instruction Fuzzy Hash: DE21073090C64C8FDB59DFAC984A7E97FF0EB96321F04826BD049C3152DA74A45ACB91
                                                                                    Function 00007FFAAC6B40BF Relevance: .1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e2decb97717fa573a853954e970fc711231eee414366a45c194f32fba49fe980
                                                                                    • Instruction ID: 7d35b9ee2d16b49dd342f01458a096cfd51c472388ed3aca3f0febf7accde63e
                                                                                    • Opcode Fuzzy Hash: e2decb97717fa573a853954e970fc711231eee414366a45c194f32fba49fe980
                                                                                    • Instruction Fuzzy Hash: 8D212872E4EA878FF7A6CB1C485117467D2EF66210B49A0BAC14EC71A3CE28DC0D9781
                                                                                    Function 00007FFAAC6B43BC Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1601384085.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5aad56a523e0b5b9b86659c5adebb680a8cbb65e2582d5979d8ad2eed6fcf039
                                                                                    • Instruction ID: 69371c337c1d8d72a105e0c13f15257b635d4e3efbb1eff00ccab647422034df
                                                                                    • Opcode Fuzzy Hash: 5aad56a523e0b5b9b86659c5adebb680a8cbb65e2582d5979d8ad2eed6fcf039
                                                                                    • Instruction Fuzzy Hash: B111E33295EA858FF6A6D7288854574BBD1EF02210B4C64BAD25EC7093DE18EC188781
                                                                                    Function 00007FFAAC5E33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000007.00000002.1600568699.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_7_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                                                                    • Instruction ID: 1423497c26d24871ad2420b61dcb2776f5c974a8d1653656c2e84cfe7c088356
                                                                                    • Opcode Fuzzy Hash: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                                                                    • Instruction Fuzzy Hash: AE01677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3661DB36E882CB45

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5E644D Relevance: .7, Instructions: 733COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1745422950.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1d3286a7069fd85a3bd050e4c872b90d288594d9f290efec973df7e4a5024c14
                                                                                    • Instruction ID: 5ca18e36170f11c0be67052aecbe77e8a55960fa19764316ff3b01b0ece59b11
                                                                                    • Opcode Fuzzy Hash: 1d3286a7069fd85a3bd050e4c872b90d288594d9f290efec973df7e4a5024c14
                                                                                    • Instruction Fuzzy Hash: DCD14B30A18A4E8FEB85DF58C455AA97BF1FF69340F14816AE40DD7296CF24E885CBC1
                                                                                    Function 00007FFAAC6B660A Relevance: .4, Instructions: 411COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: df29cea442198c74b3bc9583d59fe6f72e29917f00381146ad43e70c5cf57386
                                                                                    • Instruction ID: 430f402f3081b19f2b084a14eb33a192256a183fba2ebad3cc3299de1a3f2f49
                                                                                    • Opcode Fuzzy Hash: df29cea442198c74b3bc9583d59fe6f72e29917f00381146ad43e70c5cf57386
                                                                                    • Instruction Fuzzy Hash: 8DC126B191EA8A9FF75AEB688C156B57BE0FF46310B0451BED04DC71D3DA28E8098391
                                                                                    Function 00007FFAAC6B6633 Relevance: .3, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d25a650fe5eac643a7f227f9c4bfc443f754fab7bab0318b3389ec3a8abd270
                                                                                    • Instruction ID: f2024dae50fd753605a2b6d3a4c039a211255e7fcd64ff07c609b90650d973f1
                                                                                    • Opcode Fuzzy Hash: 5d25a650fe5eac643a7f227f9c4bfc443f754fab7bab0318b3389ec3a8abd270
                                                                                    • Instruction Fuzzy Hash: AA8126A295EB868FF79AE7288C516747BE0EF06310B49A0FED04DCB1D3D918DC098391
                                                                                    Function 00007FFAAC6B4073 Relevance: .2, Instructions: 182COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 867683ab4b37d18b9d7f631edac2c0ceb880ffb41db1428bb2dff0af0c35fe25
                                                                                    • Instruction ID: 9e448409e28f4e1599dd3d2ea1b27ba74797c9e1c9f67a5940773be645659736
                                                                                    • Opcode Fuzzy Hash: 867683ab4b37d18b9d7f631edac2c0ceb880ffb41db1428bb2dff0af0c35fe25
                                                                                    • Instruction Fuzzy Hash: A3514B32E4DA468FF79ADB2C885167477D2EF96210B58A0BEC14EC7593DE24EC0983C1
                                                                                    Function 00007FFAAC6B4370 Relevance: .1, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 97d79fd0651c3036ae2ad481d838b41461618ecacc166f94798533aedc3351d0
                                                                                    • Instruction ID: 8f383e57f722833a362a77fe2392b998725511411935380eb4fe805382682344
                                                                                    • Opcode Fuzzy Hash: 97d79fd0651c3036ae2ad481d838b41461618ecacc166f94798533aedc3351d0
                                                                                    • Instruction Fuzzy Hash: C9414A32A4EA498FFBA6D76C98416B47BD1EF46220B0C64FAD14EC7193DD14EC1883C1
                                                                                    Function 00007FFAAC5E9758 Relevance: .1, Instructions: 128COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1745422950.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e737e09a543b7f76c0a66efdd8d73036bd0982e56b8c58ff00416cc1b9fcc936
                                                                                    • Instruction ID: 338832b679b2967b5614c738c424d1c5cbe622d9737d94f9d68f8e1e2a1866bc
                                                                                    • Opcode Fuzzy Hash: e737e09a543b7f76c0a66efdd8d73036bd0982e56b8c58ff00416cc1b9fcc936
                                                                                    • Instruction Fuzzy Hash: F031C67191CB488FEB189F5CA8466E97BE0FB99311F00816FE44DD3252DB70A8598BC2
                                                                                    Function 00007FFAAC4CE540 Relevance: .1, Instructions: 125COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1744429243.00007FFAAC4CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4CD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac4cd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3906e8deb579bfdebfc05d8b6829920bcfa9235b75e460c7297410829dcd4235
                                                                                    • Instruction ID: c0594a9790f93edbc08e7f6377be277404241f7b519fe0fec8745890d72e9352
                                                                                    • Opcode Fuzzy Hash: 3906e8deb579bfdebfc05d8b6829920bcfa9235b75e460c7297410829dcd4235
                                                                                    • Instruction Fuzzy Hash: 6741E07040EBC48FE7578B28D8459523FF0EF57224B1946DFD088CB1A3D629E84AC792
                                                                                    Function 00007FFAAC5EA015 Relevance: .1, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1745422950.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b414f3df754910d55c795eea8a3db75cc4ba1e2cce58a8d6f7efa3842eb362b6
                                                                                    • Instruction ID: 826f9c72a8225a036f3851ed3b0c7e67953ed4958c0707ee87eb648b382f8aac
                                                                                    • Opcode Fuzzy Hash: b414f3df754910d55c795eea8a3db75cc4ba1e2cce58a8d6f7efa3842eb362b6
                                                                                    • Instruction Fuzzy Hash: 33314CB380C7964FD312E77CE4661E53FA0EF02228B0841BBD48ECA153DE245485C3D5
                                                                                    Function 00007FFAAC5EA47C Relevance: .1, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1745422950.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 959fa685d961eee1ddc97888bd16d4b3de6856072059cf9103d2171a0e6d67ea
                                                                                    • Instruction ID: a5f645c00bf78abcd7fc39277d478b2f6558cc02c1ee59123c539219a7363f37
                                                                                    • Opcode Fuzzy Hash: 959fa685d961eee1ddc97888bd16d4b3de6856072059cf9103d2171a0e6d67ea
                                                                                    • Instruction Fuzzy Hash: 6621F83190CB4C8FEB59DFAC984A7E97FF0EB9A321F04416BD049C7152DA749419CB92
                                                                                    Function 00007FFAAC6B40BF Relevance: .1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 646fdd68198d5a417fde118a0bbcd2ccf522c9c98caec7eff89605368ee762f4
                                                                                    • Instruction ID: 7f68332d8ef7965683ef0191f04c2313f0f865766a6a7e08ed43c7f908a58b2e
                                                                                    • Opcode Fuzzy Hash: 646fdd68198d5a417fde118a0bbcd2ccf522c9c98caec7eff89605368ee762f4
                                                                                    • Instruction Fuzzy Hash: B7210462E4EA878FF7A6CB1C485557427D2EF66210B49A0BAC14EC71A3CE28DC099781
                                                                                    Function 00007FFAAC6B43BC Relevance: .1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1746359294.00007FFAAC6B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac6b0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8953455c5a6c49248fed13ced4912c5939711d5704e76c417bdc0a8ced78c99e
                                                                                    • Instruction ID: 231e1303f7bd04c2c96237bb8532f165698cf1c100fbfbd2a0a4b743361e6c06
                                                                                    • Opcode Fuzzy Hash: 8953455c5a6c49248fed13ced4912c5939711d5704e76c417bdc0a8ced78c99e
                                                                                    • Instruction Fuzzy Hash: 0211E33294E6858FF6A6D72888545747BD1EF02210B4DA4F6D25DC7093DE18EC1883C1
                                                                                    Function 00007FFAAC5E33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000009.00000002.1745422950.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_9_2_7ffaac5e0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                                                                    • Instruction ID: 1423497c26d24871ad2420b61dcb2776f5c974a8d1653656c2e84cfe7c088356
                                                                                    • Opcode Fuzzy Hash: 0d5f8bd4930a63cdbcd6f9a23957c342ff1d62f78ef99ce6612c7dcee371064b
                                                                                    • Instruction Fuzzy Hash: AE01677115CB0D8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3661DB36E882CB45

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5F644D Relevance: .7, Instructions: 732COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 790e91d5ee3b009554bc352f15a482452e0d6ea40e5bdd09880a64deff650f7f
                                                                                    • Instruction ID: 264a4911d6988b8ea82dc9126b1c6006756bc13d63e79b274a9b6fc8c32759e0
                                                                                    • Opcode Fuzzy Hash: 790e91d5ee3b009554bc352f15a482452e0d6ea40e5bdd09880a64deff650f7f
                                                                                    • Instruction Fuzzy Hash: 85D14C34A18A4E8FEF98DF58C455AA97BE1FF69300F14816AE40DD7296CE24E845CBC1
                                                                                    Function 00007FFAAC6C6651 Relevance: .4, Instructions: 398COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1986055762.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3ba6a1c1a64ca412bb4b2c204120730838c38cabfe39c93c76b9616bde651520
                                                                                    • Instruction ID: ab3c4fc3c08a98fa03f816b3d88937eebbcb1bfb9a38989009cf0bf61520e0f3
                                                                                    • Opcode Fuzzy Hash: 3ba6a1c1a64ca412bb4b2c204120730838c38cabfe39c93c76b9616bde651520
                                                                                    • Instruction Fuzzy Hash: 2BC158B190EA8A8FF796EB6888559B57BE0FF46310B0451BAE04DC70D3DE18D80983D5
                                                                                    Function 00007FFAAC6C4370 Relevance: .1, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1986055762.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 653952d2cb5e8f74a4082824f09f60c9520b26e0be15b1c8fbd4e157dfa61f8f
                                                                                    • Instruction ID: 82ced8a0b22d41bc4b945857a2347df285ec19ae933a6fe427b04bf3b55e02f1
                                                                                    • Opcode Fuzzy Hash: 653952d2cb5e8f74a4082824f09f60c9520b26e0be15b1c8fbd4e157dfa61f8f
                                                                                    • Instruction Fuzzy Hash: DF413B72A0EA498FF7A7DB6C94416B477D1EF85320B18A4BAD15EC7593DD18EC0883C1
                                                                                    Function 00007FFAAC5F9770 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f5dd8f6bba6075866a3230b0caf7c2718ee3275901a0fb21d42cfccc6a4a47fe
                                                                                    • Instruction ID: 4865a76f408d7b0798c916a50d9ca7ffa55f0c68373e58f6394f54f5c802fd9f
                                                                                    • Opcode Fuzzy Hash: f5dd8f6bba6075866a3230b0caf7c2718ee3275901a0fb21d42cfccc6a4a47fe
                                                                                    • Instruction Fuzzy Hash: 9A41D87190DF884FE71C9F5CAC066E97BE0FB9A311F04426FE449D3252CA60A855CBC2
                                                                                    Function 00007FFAAC4DED40 Relevance: .1, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1983029961.00007FFAAC4DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4DD000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac4dd000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 19e6caf52b50a10101f5076e29096d8c2a6ee048db0d97718547783181476ff3
                                                                                    • Instruction ID: d9e6f15a0c355d81335f1d5362c478628fe9dc1e7f5fd3c3031a903dd84c721a
                                                                                    • Opcode Fuzzy Hash: 19e6caf52b50a10101f5076e29096d8c2a6ee048db0d97718547783181476ff3
                                                                                    • Instruction Fuzzy Hash: 5141E87140EBC48FE7579B299845A523FF0EF57324B1505DFD088CB1A3DA29E84AC7A2
                                                                                    Function 00007FFAAC5FA49C Relevance: .1, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0a1e7f6b755309339e5706a0b76d1fbd08997b47a1b6039ab647d443d8d1741c
                                                                                    • Instruction ID: 85e3dbd6cdf9762fdadd30c1bf763399473dab5cfbad48491a176ab678a239d3
                                                                                    • Opcode Fuzzy Hash: 0a1e7f6b755309339e5706a0b76d1fbd08997b47a1b6039ab647d443d8d1741c
                                                                                    • Instruction Fuzzy Hash: 1D21283190C74C8FEB59DFAC984A7E97FE0EB96321F04816BD049C3152DA74A81AC7D2
                                                                                    Function 00007FFAAC6C43BC Relevance: .1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1986055762.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 60e57468d5e45616c6edbf4055691ac9dd6d1325968a5cca57c75c042e03d2c4
                                                                                    • Instruction ID: 7cdc4ed47ba1e8aeb2e420213847c474f23e839b1d0ee610a47124dc58b44079
                                                                                    • Opcode Fuzzy Hash: 60e57468d5e45616c6edbf4055691ac9dd6d1325968a5cca57c75c042e03d2c4
                                                                                    • Instruction Fuzzy Hash: A411023290EA468FF7A7DB1C90815B83AE0EF81320B59A0F6D15EC7092DE18EC0483C1
                                                                                    Function 00007FFAAC5F33B5 Relevance: .0, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction ID: 388b182b9b8a72f791742ca75cdd24f4eb8076af8f489a3c1f0acc5c74a7106a
                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                    • Instruction Fuzzy Hash: 9101677115CB0D8FD748EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E882CB45
                                                                                    Function 00007FFAAC6C4146 Relevance: .0, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1986055762.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5ed2b04341f5abb9389f1f0c4f441b26f2e2b2ec6b22a44f85106c4599dc9cb7
                                                                                    • Instruction ID: b9c4beaf443d0f0794138b210068d35b9ba3a41c64e364620c44a047edf0c866
                                                                                    • Opcode Fuzzy Hash: 5ed2b04341f5abb9389f1f0c4f441b26f2e2b2ec6b22a44f85106c4599dc9cb7
                                                                                    • Instruction Fuzzy Hash: 99F09032A0D5068FE75AEB5CE4418B477E0EF5532071590B6E09EC7563CE25EC44C780
                                                                                    Function 00007FFAAC6C41D1 Relevance: .0, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1986055762.00007FFAAC6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC6C0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac6c0000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction ID: cd56bf9e85cd2f11ee6483b6a739d072e1f9ad6f753063a18acb2a37adad42aa
                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                    • Instruction Fuzzy Hash: 2AE01A31B0C808CFEA6ADB0CE0409F973E1EB9933171161B7D18EC7962CA22EC559BC0

                                                                                    Non-executed Functions

                                                                                    Function 00007FFAAC5F8945 Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                    • API String ID: 0-2396788759
                                                                                    • Opcode ID: 61eea3130155f675c577568688a793603f670611a6046eff0d35c52795404acb
                                                                                    • Instruction ID: 44e4c7bafba2083a5c257027b459042a7645751d25c3eb33f9b8cbdfc6fdb53e
                                                                                    • Opcode Fuzzy Hash: 61eea3130155f675c577568688a793603f670611a6046eff0d35c52795404acb
                                                                                    • Instruction Fuzzy Hash: CC419EA295E7C78FE35B83284869155BFE0EF53218B0D43EAC4D48F0D3EA19544AD3D6
                                                                                    Function 00007FFAAC5F8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^5$M_^8$M_^F$M_^I$M_^K
                                                                                    • API String ID: 0-2170160206
                                                                                    • Opcode ID: 467a3bf947d0bd8b3431e84963978ea4daa9a6ed38a982528ffad7b655969975
                                                                                    • Instruction ID: a8ac1b185636252c3743f336d7c984060ef7021013b830695e5cfce756488fe7
                                                                                    • Opcode Fuzzy Hash: 467a3bf947d0bd8b3431e84963978ea4daa9a6ed38a982528ffad7b655969975
                                                                                    • Instruction Fuzzy Hash: 912137B7718166CE9201377DA8219DC7794CF9927538987F2E19ACF293EC28608A89C0
                                                                                    Function 00007FFAAC5F89F3 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 0000000B.00000002.1984321451.00007FFAAC5F5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F5000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_11_2_7ffaac5f5000_powershell.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                                    • API String ID: 0-1397233021
                                                                                    • Opcode ID: 3c85addde6f3e7c944245178ae29bc98d1c36e7139d02740b7720c4947a77262
                                                                                    • Instruction ID: 4d7626f1dfd874fa56b51521a65742b4fafa90da3d3c766286a73d12a5e00dfc
                                                                                    • Opcode Fuzzy Hash: 3c85addde6f3e7c944245178ae29bc98d1c36e7139d02740b7720c4947a77262
                                                                                    • Instruction Fuzzy Hash: 6B3181A395E7C78BE35B832848691A5BFD0EF5722C70D43EAC4D88B0C3E9159446D2D6

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5D1719 Relevance: .7, Instructions: 693COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 182c4227db7f402fa4a333f20a75ff1654e022597b0ea0f90b20c3556ccdf451
                                                                                    • Instruction ID: ea8c448240c766748ddc9e204c4be950be4afd52e190bfe83a5293aae0865fc6
                                                                                    • Opcode Fuzzy Hash: 182c4227db7f402fa4a333f20a75ff1654e022597b0ea0f90b20c3556ccdf451
                                                                                    • Instruction Fuzzy Hash: 0322D461A59B4A8FF799EB38C4597BD76D6EF99310F448479E00FC32D6CE28A8058381
                                                                                    Function 00007FFAAC5D20F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fd102044adca8cfec0cc9eb2d766c8ce29790cd1487bd8608b5be7bdaa867812
                                                                                    • Instruction ID: 635ff0b83638030ccdcd7c167a4374b1a9d228604ffa4df12856a3ef773b660c
                                                                                    • Opcode Fuzzy Hash: fd102044adca8cfec0cc9eb2d766c8ce29790cd1487bd8608b5be7bdaa867812
                                                                                    • Instruction Fuzzy Hash: A251E05165E7C64FE787A7B898657756FD8DF87215B0844FBE08DC7193DD08480AC382
                                                                                    Function 00007FFAAC5D0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9P_^
                                                                                    • API String ID: 0-1898675183
                                                                                    • Opcode ID: 0b1610dea837ff54ffda668ac98a61948fcbb494fa763a3a6ad8db298186223a
                                                                                    • Instruction ID: b51ee1a4eed5ed96066fc900f1267cf81bb9aadedfd04ad2bc67bf3ce738a90d
                                                                                    • Opcode Fuzzy Hash: 0b1610dea837ff54ffda668ac98a61948fcbb494fa763a3a6ad8db298186223a
                                                                                    • Instruction Fuzzy Hash: 4761F8B6A4D61A8FE705FBBCE451AED37A4EF89324B048576E00EC7293CD34648683D0
                                                                                    Function 00007FFAAC5D0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4P_^
                                                                                    • API String ID: 0-2202116914
                                                                                    • Opcode ID: bc90a37894ecefdd28681d2abedd012366f1659032cb0169cb848e41826097c3
                                                                                    • Instruction ID: 24f124f1aa90e08c480eef8b4d75ce591b84e05856d543629082e0a1fedf26f9
                                                                                    • Opcode Fuzzy Hash: bc90a37894ecefdd28681d2abedd012366f1659032cb0169cb848e41826097c3
                                                                                    • Instruction Fuzzy Hash: 05510A61A4D7874FE356A77898556B53FD5DF8722070940FBE08DC71A3DC189C468392
                                                                                    Function 00007FFAAC5D1295 Relevance: .9, Instructions: 859COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9209a04166de531e5c00ce0ab30b88ab2bcdcbe08326dc1ff327e0e18d840db0
                                                                                    • Instruction ID: 012c2d6cea160746aee66aa95db21339887c02d20c23989b09f89805c866d2ff
                                                                                    • Opcode Fuzzy Hash: 9209a04166de531e5c00ce0ab30b88ab2bcdcbe08326dc1ff327e0e18d840db0
                                                                                    • Instruction Fuzzy Hash: B421F0B3D0D3964FF742E7BCD4715EA3BB4EF46220B0881B7D08ACA1A3DD2854498390
                                                                                    Function 00007FFAAC5D0985 Relevance: .3, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b108c28f1896745f5c9ff3e05f822fb6378646ba6c6f208f28e9f2bf6d827cc8
                                                                                    • Instruction ID: 5ec6e1e77708dde2f3cff818e4b73064d1351698b35872320e9298dd93411977
                                                                                    • Opcode Fuzzy Hash: b108c28f1896745f5c9ff3e05f822fb6378646ba6c6f208f28e9f2bf6d827cc8
                                                                                    • Instruction Fuzzy Hash: 4DA1F6B660C5269FE701FBBCF855AED3BA4EF892217048577D14ACB193CD24648AC7D0
                                                                                    Function 00007FFAAC5D09D3 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3cdcd4c1e23e32a54fccfe41a6a7f154e67c2c7289f0e56fe7a72f8a4c481dc1
                                                                                    • Instruction ID: 4f94eb71c9221827fd9288f37471ac4c3a0e918a0506a0b2b3415b13d05d206a
                                                                                    • Opcode Fuzzy Hash: 3cdcd4c1e23e32a54fccfe41a6a7f154e67c2c7289f0e56fe7a72f8a4c481dc1
                                                                                    • Instruction Fuzzy Hash: D091E6BA60C5169EE700FBBCF455AED7BA8EFC92317048577D14ECA193CD24648A87E0
                                                                                    Function 00007FFAAC5D0A08 Relevance: .3, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47a7d9d95569fea397d9ec92d3918190b41b98db6e1e747b2d597873b8987b43
                                                                                    • Instruction ID: 7e98d5ee8978a65a8caaa951ff846d5939fdd27080d4e6299fd622e5a782ef78
                                                                                    • Opcode Fuzzy Hash: 47a7d9d95569fea397d9ec92d3918190b41b98db6e1e747b2d597873b8987b43
                                                                                    • Instruction Fuzzy Hash: E98106B660C5169EE700FBBCF455AED3BA9EFC92217048577D14ECA193CD24648AC7D0
                                                                                    Function 00007FFAAC5D0A10 Relevance: .3, Instructions: 301COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ef4b0309fb8bae28135c3ea9662e11900cc1241b5ba224f8689a6b323d993f0f
                                                                                    • Instruction ID: 367711b2650b0f3572f738735173061def591e1b11c762e1967b708051b73e6f
                                                                                    • Opcode Fuzzy Hash: ef4b0309fb8bae28135c3ea9662e11900cc1241b5ba224f8689a6b323d993f0f
                                                                                    • Instruction Fuzzy Hash: C181F4B660C5169EE700FBBCF455AED3BA9EFC9221B048577E14ECA193CD24648A87D0
                                                                                    Function 00007FFAAC5D0A48 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 52a6a312a56a14a49bf46771f94245e4fcecb03ed4a11c67151c18f52e13f3c4
                                                                                    • Instruction ID: b7a3b06afe17310b857f3dd17dc2c0446373affd80ba0b742ed0d95fad99f01f
                                                                                    • Opcode Fuzzy Hash: 52a6a312a56a14a49bf46771f94245e4fcecb03ed4a11c67151c18f52e13f3c4
                                                                                    • Instruction Fuzzy Hash: DE71F7B66085169FE700BBBCE455AED7BA5EF89221B048577E04ECB193CD34648AC7D0
                                                                                    Function 00007FFAAC5D0638 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 78777a3e82b4968d35d4dd42ea2d16bfc309fd99b4471f14e3f1c0fc08e91a73
                                                                                    • Instruction ID: 1807d3d2d24f607fc28e92dddfb66c0976970b3ec44a4a5b23d3b89df317333b
                                                                                    • Opcode Fuzzy Hash: 78777a3e82b4968d35d4dd42ea2d16bfc309fd99b4471f14e3f1c0fc08e91a73
                                                                                    • Instruction Fuzzy Hash: B031F761B1CA494FE798EB7CD85A779A6C6EF99310F0445BEF00EC3293DD649C058380
                                                                                    Function 00007FFAAC5D0D21 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a14cbedbbd064f0237057cb482a51c297d903c9b07d98c1837a654c77a66363e
                                                                                    • Instruction ID: be77f16d52dd5925594e71a1a527d0b7ec37dc85cdc12c37fcec0a73b0d0f2ea
                                                                                    • Opcode Fuzzy Hash: a14cbedbbd064f0237057cb482a51c297d903c9b07d98c1837a654c77a66363e
                                                                                    • Instruction Fuzzy Hash: 3731AA91B18A0A5FF745BBBC981A7BD66D5EF98311F0445BBE00EC32D2DD28984143C1
                                                                                    Function 00007FFAAC5D0BD3 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 13c2185ba52c5e72e192bd99c2023ad0959c47a0ddb1f0a008527d6849cec73e
                                                                                    • Instruction ID: 2dd0b64791826c29aada8f81e1266ecf563e4185683be794814a45b11eb7fd0d
                                                                                    • Opcode Fuzzy Hash: 13c2185ba52c5e72e192bd99c2023ad0959c47a0ddb1f0a008527d6849cec73e
                                                                                    • Instruction Fuzzy Hash: 0241C161A1D60E8FEB45EB78C4656FDBBF1EF99301F508475E00AD3296CD39A8058790
                                                                                    Function 00007FFAAC5D0858 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b1d01c9da18910da185f6e98d586d1f5c80b857d9defe35c3bdcb1c742147d8c
                                                                                    • Instruction ID: f12785d9a83ba2366f474b91afb7a1f816c3bf0afe3875b0fbb898172170c4ba
                                                                                    • Opcode Fuzzy Hash: b1d01c9da18910da185f6e98d586d1f5c80b857d9defe35c3bdcb1c742147d8c
                                                                                    • Instruction Fuzzy Hash: 1831B2A154964D4FD745EB38D0A86BD3FB1EF89200B85C5B5D00BCB3AFCD255C488785
                                                                                    Function 00007FFAAC5D0870 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c2b9f006576168a9d9e60a6c5758ec2e052351ea013e2b36751aace3e5ec34f9
                                                                                    • Instruction ID: 615010729426a5d2056b697b4912ca0af1a8288d9e2340279df221a48a978c05
                                                                                    • Opcode Fuzzy Hash: c2b9f006576168a9d9e60a6c5758ec2e052351ea013e2b36751aace3e5ec34f9
                                                                                    • Instruction Fuzzy Hash: 282181A164964D4FD745EF28D0A8ABD7FB1EF89200BC1C4B5D40BC73AECD255D488746
                                                                                    Function 00007FFAAC5D22C1 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000011.00000002.2070365126.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_17_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 31e47e2d0fd32b5a55cec243620d73becf201648204f3aaf1c1f43cf7f1b5a38
                                                                                    • Instruction ID: 02b50d61e175643a5452a3f443e0c6d6a17e3fe12e6ccce2a6605d7a75e3efcb
                                                                                    • Opcode Fuzzy Hash: 31e47e2d0fd32b5a55cec243620d73becf201648204f3aaf1c1f43cf7f1b5a38
                                                                                    • Instruction Fuzzy Hash: 8501F25490E7824FF786A73858565257FE0DBA2210B0844ABF88EC6296DC089D888382

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5F1719 Relevance: .7, Instructions: 693COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e52d95d133be283b72962957bdcea044a75ff8af0d2f07054e2e3755c6e62663
                                                                                    • Instruction ID: 40dfd17296c8eb8b2cc9fd10dbc136478dacd6b97a9b47711d2e477df1dcfb60
                                                                                    • Opcode Fuzzy Hash: e52d95d133be283b72962957bdcea044a75ff8af0d2f07054e2e3755c6e62663
                                                                                    • Instruction Fuzzy Hash: 3B22B361A59B4A8FF798EB3884697B976D6EF99300F444579E00EC33D3DE28AC0587C1
                                                                                    Function 00007FFAAC5F20F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 895af32b981e011fdbed8d68a7c0cfa420ecee7dcd137b951728593392d86ebf
                                                                                    • Instruction ID: 0ef170420248751d0530f7f4f2ff51e95aa8cb87a99f925030ed0e2c2914dc8c
                                                                                    • Opcode Fuzzy Hash: 895af32b981e011fdbed8d68a7c0cfa420ecee7dcd137b951728593392d86ebf
                                                                                    • Instruction Fuzzy Hash: C151239165E7C64FE78AA7789865A757FD8DF87219B0804FAE0CDC7193DD08480AC386
                                                                                    Function 00007FFAAC5F0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9N_^
                                                                                    • API String ID: 0-1737749909
                                                                                    • Opcode ID: 4f2b5be52073ff2e41cd049add2d7f06a02e276ecf32ffa96bfa84bdde9e3af6
                                                                                    • Instruction ID: 29cefe69ded4e3652ac69f3552f2eea45e5ad7e317bc4e2ac733d728227d597f
                                                                                    • Opcode Fuzzy Hash: 4f2b5be52073ff2e41cd049add2d7f06a02e276ecf32ffa96bfa84bdde9e3af6
                                                                                    • Instruction Fuzzy Hash: F0614DB6A4D62A8BE705B77CE4516EC77E0EF89325B088576D04FC7293CD38648687D0
                                                                                    Function 00007FFAAC5F0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4N_^
                                                                                    • API String ID: 0-2516135240
                                                                                    • Opcode ID: 77d869d7fa0ccd63a94087151b06c897638009d9d8711fb8901ac2b51a74a650
                                                                                    • Instruction ID: eb25abdbf82fa507445f4ee47eaf9bf66318af82c4c9faad49606bb85e0d7aa9
                                                                                    • Opcode Fuzzy Hash: 77d869d7fa0ccd63a94087151b06c897638009d9d8711fb8901ac2b51a74a650
                                                                                    • Instruction Fuzzy Hash: 1F511861A4D7860FE396A77898655B57FE5DF87220B0980FBE08DC72A3DC189C468392
                                                                                    Function 00007FFAAC5F1295 Relevance: .9, Instructions: 861COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 19768021ba03ec926c507f0707cd3c8cbdbf62382a3ffddbf89eacd943dc8d45
                                                                                    • Instruction ID: d954721190035022ac2b445cf30c7bbcf52f3e18940c25d34e4340a6d09bef95
                                                                                    • Opcode Fuzzy Hash: 19768021ba03ec926c507f0707cd3c8cbdbf62382a3ffddbf89eacd943dc8d45
                                                                                    • Instruction Fuzzy Hash: 0021D773D0D7968FF709A7BCD8615EA7BB0EF42215B0841B7D08ACA193DD28680987C0
                                                                                    Function 00007FFAAC5F0985 Relevance: .3, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d263236c11938a7aabf53926f66f903eef6d057f4fd5fbba10d2bb195617bda5
                                                                                    • Instruction ID: f790d245e0d65e7d633903aed00ac208d1bef921f841ed5ed107f921bc5f736b
                                                                                    • Opcode Fuzzy Hash: d263236c11938a7aabf53926f66f903eef6d057f4fd5fbba10d2bb195617bda5
                                                                                    • Instruction Fuzzy Hash: 01A1067770CA268BD701BB7CF8516E97BA0EF89375B048577D24ACB293CD24648A87D0
                                                                                    Function 00007FFAAC5F09D3 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 14ebb66cc7b5a68852db153320f9243ccb94fb002f9edaab8855b3efda28b875
                                                                                    • Instruction ID: 354220ef8d0973e709dbc84f83680ff2f1e8d66bc880365484ab505c35054eda
                                                                                    • Opcode Fuzzy Hash: 14ebb66cc7b5a68852db153320f9243ccb94fb002f9edaab8855b3efda28b875
                                                                                    • Instruction Fuzzy Hash: 47911566B08A268BD700BB7CF8516E97BA0EFC9375B448577D24ACB293CD24648687D0
                                                                                    Function 00007FFAAC5F0A08 Relevance: .3, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b70b5f91e22054f33f52961a9301f1c7327b54ca792e0eefd289ff61bcc96916
                                                                                    • Instruction ID: 6d192a18dd66ac782b40b64a9a7ce722e2781bff8399f45d33c12678cc140f3f
                                                                                    • Opcode Fuzzy Hash: b70b5f91e22054f33f52961a9301f1c7327b54ca792e0eefd289ff61bcc96916
                                                                                    • Instruction Fuzzy Hash: FE811776B08A268BD701BB7CF8516E97BA0EF89375B048577D14ECB293CD34648687D0
                                                                                    Function 00007FFAAC5F0A10 Relevance: .3, Instructions: 301COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 901bc66e049af107c47d1791091b3a9aae5750aa293f7a1a11f122a6c2193a91
                                                                                    • Instruction ID: 94727f99941d473c1af458e995b8001fb9540e747ef8b5c414d8553436fd9979
                                                                                    • Opcode Fuzzy Hash: 901bc66e049af107c47d1791091b3a9aae5750aa293f7a1a11f122a6c2193a91
                                                                                    • Instruction Fuzzy Hash: 6F8116B6B08A268BD700BB7CF8556E97BA0EF89375B048577D14ECB293CD34648687D0
                                                                                    Function 00007FFAAC5F0A48 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 75d8c81d4e71ff29d79a20be7c4e887d404ec5eda238784ea804ffaebd692c00
                                                                                    • Instruction ID: b727849e0f92708b6fad57fbdfdc748a0bff0bc35535cd7a6e734ff1a13443f6
                                                                                    • Opcode Fuzzy Hash: 75d8c81d4e71ff29d79a20be7c4e887d404ec5eda238784ea804ffaebd692c00
                                                                                    • Instruction Fuzzy Hash: C4712776B08A2A8BD700BB7CF8516ED7BA0EF89365B048576D14ECB293CD346486C7D0
                                                                                    Function 00007FFAAC5F0638 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b79048991275b582d118ae6dc68f4ab91187812cbb6963bcc7556da352e7c648
                                                                                    • Instruction ID: b3f9415d0bded40f2b74155f5f0d9a82acff60ca12a03fc1f255aa822af2b18b
                                                                                    • Opcode Fuzzy Hash: b79048991275b582d118ae6dc68f4ab91187812cbb6963bcc7556da352e7c648
                                                                                    • Instruction Fuzzy Hash: 8831E261B18A490FE798EB2CD85AB78A6C6EB99315F0405BEE00EC32A3DD649C458380
                                                                                    Function 00007FFAAC5F0D21 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c55ac4f471d4c5957ff491faf38dc9c2a7639dee507f6f90c5d1ea65ccbb3e94
                                                                                    • Instruction ID: 61c8624db56929e05d42321458bba6f63aa7ced33f4fbb1204dcf4ad1be9a832
                                                                                    • Opcode Fuzzy Hash: c55ac4f471d4c5957ff491faf38dc9c2a7639dee507f6f90c5d1ea65ccbb3e94
                                                                                    • Instruction Fuzzy Hash: EF31C891B18A0A4FF748B7BC981A7BDA6D5EF98351F0485BAE00EC32D2DD289C0583C1
                                                                                    Function 00007FFAAC5F0BD3 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7bd945aaf72d7b34e7877ee4c233620af91ff015dda57f7329bff0a0031c9081
                                                                                    • Instruction ID: 23d7d309f3f31d41d8e88687d81a724b0dc8bf905eb2cee42a9bcfdf6e5c1d6a
                                                                                    • Opcode Fuzzy Hash: 7bd945aaf72d7b34e7877ee4c233620af91ff015dda57f7329bff0a0031c9081
                                                                                    • Instruction Fuzzy Hash: F941C361A19A4E8FEB85EB78C4A16EDBBF1FF89301F544475E00AD3393CD38A8058791
                                                                                    Function 00007FFAAC5F0858 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f445e1e042b4e83732e473d42506f623c874b037f8b115e33c7c40327cd07815
                                                                                    • Instruction ID: 26be7ee58851b6977d115e45cd6803323e5f093f241b9162e69400ad8d502b31
                                                                                    • Opcode Fuzzy Hash: f445e1e042b4e83732e473d42506f623c874b037f8b115e33c7c40327cd07815
                                                                                    • Instruction Fuzzy Hash: A831A1A164964E5FD782EB3890E05E97FF1EF8D305B84A4B5D00BCB3A7DD285C088B81
                                                                                    Function 00007FFAAC5F0870 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a9a6cfc77904cafb26f63da30f1a63f53831254e2279adca7bedc867ee38849a
                                                                                    • Instruction ID: f660f78e19ce9cc26b9559170c8415ad4d03c7470b2b1af8177ff9cde08127df
                                                                                    • Opcode Fuzzy Hash: a9a6cfc77904cafb26f63da30f1a63f53831254e2279adca7bedc867ee38849a
                                                                                    • Instruction Fuzzy Hash: 682193A1659A4D5FD786EB68C0E09E97FF1EF8D305B80A4B5D40BC73A7CD285D048B82
                                                                                    Function 00007FFAAC5F22C1 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2160303626.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 430a199ea239c986331f60903fdf8effd8d7d619e86673a2a717cdbd0d49c0da
                                                                                    • Instruction ID: 8afbfa2aa509184f4a92fecf21d4f61a24af7e8f219d16b05d8b21da746319be
                                                                                    • Opcode Fuzzy Hash: 430a199ea239c986331f60903fdf8effd8d7d619e86673a2a717cdbd0d49c0da
                                                                                    • Instruction Fuzzy Hash: 1E01269090E7864FF78AA7381C654717FE0CB96200B0804BAF88DC61D7DC08998983C2

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5D1719 Relevance: .7, Instructions: 693COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0b466fe16547f84c0405f5c4ce247a68f658c4d450618c4419f14e6325d54419
                                                                                    • Instruction ID: e42328e5b97de05d052c5fc60b2959bd289a23ab06efd318ff5dd02b47c4de27
                                                                                    • Opcode Fuzzy Hash: 0b466fe16547f84c0405f5c4ce247a68f658c4d450618c4419f14e6325d54419
                                                                                    • Instruction Fuzzy Hash: EB22D461F59B4A8FF799E738D4597B9B6D6EF99300F444479E00EC32D2CE28A8058781
                                                                                    Function 00007FFAAC5D20F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 821e8b4161568c8e404cc243fa8f4feb72fe50d312d3760cb9454bcea5c1bd00
                                                                                    • Instruction ID: d8adc742af4f7144a1056f456319cd1eac6605b4564cd5918cd7f7f562a46fcf
                                                                                    • Opcode Fuzzy Hash: 821e8b4161568c8e404cc243fa8f4feb72fe50d312d3760cb9454bcea5c1bd00
                                                                                    • Instruction Fuzzy Hash: C151FF51A4E6C64FE787A7B89865775AFD8DF87215B0844FBE08DC7193DD08480AC382
                                                                                    Function 00007FFAAC5D0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9P_^
                                                                                    • API String ID: 0-1898675183
                                                                                    • Opcode ID: 887a0703fc7f7271e0acc4fc6e9855575cf9dbc3f5f92c2c3a2a238248230a01
                                                                                    • Instruction ID: 0cf5d9ec40a0798190f30dd9ed7a64f0aa6a5f531980d5ae626cf0a749c46d6a
                                                                                    • Opcode Fuzzy Hash: 887a0703fc7f7271e0acc4fc6e9855575cf9dbc3f5f92c2c3a2a238248230a01
                                                                                    • Instruction Fuzzy Hash: 4661F7B6A4D61A9FE701F7BCE451AED77A4EF89324B048576E00EC7293CD34648A87D0
                                                                                    Function 00007FFAAC5D0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4P_^
                                                                                    • API String ID: 0-2202116914
                                                                                    • Opcode ID: 2bc669ef79391f70e34299af546f85d71a92aecc009929b1f24131472b50d1e6
                                                                                    • Instruction ID: ef953be1fb384bbe2980814f622bc9be283dd0d78efdc2b72c9407ebd0bede52
                                                                                    • Opcode Fuzzy Hash: 2bc669ef79391f70e34299af546f85d71a92aecc009929b1f24131472b50d1e6
                                                                                    • Instruction Fuzzy Hash: C8511962A4D7870FE356A77C98566B57FE5DF87220B0940FBE08DC72A3DC189C468392
                                                                                    Function 00007FFAAC5D1295 Relevance: .9, Instructions: 859COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9bb401a2b2ea4a9db1a95771ef7502731d68c894d0151340995e2b1f433cde1a
                                                                                    • Instruction ID: 807077e475fd6d10d07d1fb4c0e1413497a032189c6035a03c4b0d94b9804205
                                                                                    • Opcode Fuzzy Hash: 9bb401a2b2ea4a9db1a95771ef7502731d68c894d0151340995e2b1f433cde1a
                                                                                    • Instruction Fuzzy Hash: 6D21F0B3D0D3964FF742E7BCD4715EA3BB4EF46220B0841B7E08ACA1A3DD2854498390
                                                                                    Function 00007FFAAC5D0985 Relevance: .3, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2c2a3f6f19af5f643090d2f8b0dfaee2a9183f1acd832bffc66d9916ec7c5178
                                                                                    • Instruction ID: 3aebd33473092bb6c219d9464715e7f4d85ab7522c43e0d1ff894ace504ee50e
                                                                                    • Opcode Fuzzy Hash: 2c2a3f6f19af5f643090d2f8b0dfaee2a9183f1acd832bffc66d9916ec7c5178
                                                                                    • Instruction Fuzzy Hash: 68A106B660C5269FE701FBBCE855AED7BA4EF89320B048577D14ACB193CD24648A87D0
                                                                                    Function 00007FFAAC5D09D3 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 1bb7e4357ecf3a7cd4e77cb0faab5444c0e90b6796f110707ff03f2ecc252681
                                                                                    • Instruction ID: 3245f2b876e57f0dcd2b960994f8d1f7c855a90ec4805bd180b50014b0c7c637
                                                                                    • Opcode Fuzzy Hash: 1bb7e4357ecf3a7cd4e77cb0faab5444c0e90b6796f110707ff03f2ecc252681
                                                                                    • Instruction Fuzzy Hash: 7D91D5B66085169EE700FBBCF455AED7BA8EFC9331B048577D14ECA193CD24648A87E0
                                                                                    Function 00007FFAAC5D0A08 Relevance: .3, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: d2c692215f555131da9ae0b37c54cde5aa5a44dacb8f51cb959fac23016d0b63
                                                                                    • Instruction ID: 079c98beac9e66df55c2fd78d7fe7ee27e3e667e3cd149b7b81c2cc112029b37
                                                                                    • Opcode Fuzzy Hash: d2c692215f555131da9ae0b37c54cde5aa5a44dacb8f51cb959fac23016d0b63
                                                                                    • Instruction Fuzzy Hash: C881F5B660C5169FE700BBBCF455AED7BA9EF89320B048577D14ECA193CD24648A87D0
                                                                                    Function 00007FFAAC5D0A10 Relevance: .3, Instructions: 301COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 58cdb72925e53b2014eb7f49867051855aa2e725e1ce7b409b8f711979363d4f
                                                                                    • Instruction ID: 04b3604fcc29489d78784e22480a1d4aaafabbdbaccebdf973bcf63ca38bb499
                                                                                    • Opcode Fuzzy Hash: 58cdb72925e53b2014eb7f49867051855aa2e725e1ce7b409b8f711979363d4f
                                                                                    • Instruction Fuzzy Hash: 6381F5B660C5169FE700BBBCF455AED7BA8EF89320B048577D14ECA193CD24648A87D0
                                                                                    Function 00007FFAAC5D0A48 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bc038f56ae05a312ec7457eb5cb800e0c84f22ed7869cf524d84e2a964125bfd
                                                                                    • Instruction ID: ea9e6b1361ff71f207a7d6f21b3460affba39d26dedcea7e2634545c30652378
                                                                                    • Opcode Fuzzy Hash: bc038f56ae05a312ec7457eb5cb800e0c84f22ed7869cf524d84e2a964125bfd
                                                                                    • Instruction Fuzzy Hash: 7571F5B660851A9FE700BBBCE455AED7BA5EF89320B048577D14ECB293CD34648AC7D0
                                                                                    Function 00007FFAAC5D0638 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f638759b76a86eda4dc5d43c2587882c43bd9f99a8c9926fb32d85df396f799
                                                                                    • Instruction ID: b4c0c6cb6302015342f949797621ae8a22f95f96f7f95e26baa6b8a991658f30
                                                                                    • Opcode Fuzzy Hash: 9f638759b76a86eda4dc5d43c2587882c43bd9f99a8c9926fb32d85df396f799
                                                                                    • Instruction Fuzzy Hash: 3431F761B1CA494FE798E77CD85A779A6C6EF99310F0445BEF00EC3293DD649C058380
                                                                                    Function 00007FFAAC5D0D21 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a14cbedbbd064f0237057cb482a51c297d903c9b07d98c1837a654c77a66363e
                                                                                    • Instruction ID: be77f16d52dd5925594e71a1a527d0b7ec37dc85cdc12c37fcec0a73b0d0f2ea
                                                                                    • Opcode Fuzzy Hash: a14cbedbbd064f0237057cb482a51c297d903c9b07d98c1837a654c77a66363e
                                                                                    • Instruction Fuzzy Hash: 3731AA91B18A0A5FF745BBBC981A7BD66D5EF98311F0445BBE00EC32D2DD28984143C1
                                                                                    Function 00007FFAAC5D0BD3 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5d13ffae319cbbf6772dc26554293d86dbee2c93ff67cdbb2ddc8afdbe578538
                                                                                    • Instruction ID: 81cf551734c5390e766eee85808ac854100ba140cba8c911943e3aa921d4a035
                                                                                    • Opcode Fuzzy Hash: 5d13ffae319cbbf6772dc26554293d86dbee2c93ff67cdbb2ddc8afdbe578538
                                                                                    • Instruction Fuzzy Hash: 6741C161A1CA0E8FEB45EB78C465BEDBBF1FF89301F504479E00AD3292CD38A8058790
                                                                                    Function 00007FFAAC5D0858 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 86688525a7cf66aae2e874fc00909df22eea5e48ca9c0f006175d0914ee19018
                                                                                    • Instruction ID: 6530acb1bc8bbf5231ea8a832e3e82405bd7cbfc57a0131ee63cff6993992c41
                                                                                    • Opcode Fuzzy Hash: 86688525a7cf66aae2e874fc00909df22eea5e48ca9c0f006175d0914ee19018
                                                                                    • Instruction Fuzzy Hash: 8C31D761949A4D5FD741EB3CD0A89A97FF1EF89300F8484BDD00AC73A7DD246C498B42
                                                                                    Function 00007FFAAC5D0870 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 25d84d66bf71524e9341f856b639be0ac1c5cd2541913c4a135d01c79e295942
                                                                                    • Instruction ID: 99e11f5f13e0debef830b1c097793527b583785b68f3eea85a2ac385e746fa02
                                                                                    • Opcode Fuzzy Hash: 25d84d66bf71524e9341f856b639be0ac1c5cd2541913c4a135d01c79e295942
                                                                                    • Instruction Fuzzy Hash: 1721A761949A4D5FD741EB3CD0A89A9BFF1EF89300F8084BDD40AC7397DD246D048B42
                                                                                    Function 00007FFAAC5D22C1 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000013.00000002.2191557658.00007FFAAC5D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5D0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_19_2_7ffaac5d0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3d533bc47da8bda86a1d2c70a4b18e3b682618ea5dfc5df278086f6e6291c0fc
                                                                                    • Instruction ID: 4ee77c4ffe7a3c536ffa14bc7ae2c30f8a2c2cf81b518ca948f2f45a848331c4
                                                                                    • Opcode Fuzzy Hash: 3d533bc47da8bda86a1d2c70a4b18e3b682618ea5dfc5df278086f6e6291c0fc
                                                                                    • Instruction Fuzzy Hash: 3001F25490EB824FF786A738585A5217FE0DB92200B0804ABF88DC6292D8089D8883C2

                                                                                    Executed Functions

                                                                                    Function 00007FFAAC5F1719 Relevance: .7, Instructions: 693COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: aff4450b9b0c35a1987cacbcb547d8f67867856c5c08cf334de96620278bb074
                                                                                    • Instruction ID: 7cd7f248140c4a41adf282ab4411f94cdd1c63bea0bf53ab4fb391ac0352856e
                                                                                    • Opcode Fuzzy Hash: aff4450b9b0c35a1987cacbcb547d8f67867856c5c08cf334de96620278bb074
                                                                                    • Instruction Fuzzy Hash: A022A561B59B4A8FF798E73884697B9B6D6EF99300F448579E00EC32D2DD28EC0587C1
                                                                                    Function 00007FFAAC5F20F1 Relevance: .2, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fdb828c5278e7ad8693d239d7bcad8c815ebc7cbbea4a2a9ce09085e06b6867d
                                                                                    • Instruction ID: b4311ee3e0c7cc5af8498e7a5d12db8c464d3510ba8fa2bc569282777801e0f0
                                                                                    • Opcode Fuzzy Hash: fdb828c5278e7ad8693d239d7bcad8c815ebc7cbbea4a2a9ce09085e06b6867d
                                                                                    • Instruction Fuzzy Hash: EF51239165E7C64FE78AA7789865A75BFD8DF87215B0804FAE0CDC7193DD08480AC386
                                                                                    Function 00007FFAAC5F0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 9N_^
                                                                                    • API String ID: 0-1737749909
                                                                                    • Opcode ID: 744fe66ca3b9a3d44cbe988b17c9194bc1521c3cf252872996c94a276ffcafa6
                                                                                    • Instruction ID: 2e37c3d2c1920d19b1ac98f17c74ad15747a87758f0e69406f0633b362ef1ad5
                                                                                    • Opcode Fuzzy Hash: 744fe66ca3b9a3d44cbe988b17c9194bc1521c3cf252872996c94a276ffcafa6
                                                                                    • Instruction Fuzzy Hash: A0616BB6A4C62A8BE705B77CE4516EC7BE0EF88325F088536D14EC7293CD38648683C0
                                                                                    Function 00007FFAAC5F0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 4N_^
                                                                                    • API String ID: 0-2516135240
                                                                                    • Opcode ID: 74a5caeea72ee006ad5ad49dd504b01957368429f0ec77f9dacee04d6201de9a
                                                                                    • Instruction ID: bafd85d353c55026af7ededa1991949cb69ae19c8028cc09c05c78bb00e9e079
                                                                                    • Opcode Fuzzy Hash: 74a5caeea72ee006ad5ad49dd504b01957368429f0ec77f9dacee04d6201de9a
                                                                                    • Instruction Fuzzy Hash: EF512861A4D7860FE396A77898655B57FE5DF87220B0980FBE08DC72A3DC189C468392
                                                                                    Function 00007FFAAC5F1295 Relevance: .9, Instructions: 861COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6e1162d01f955467a2a02b28fa6aaa6691fee687e06a7df26ed0d55fbcad74c2
                                                                                    • Instruction ID: 97ff2e0ef634357feb10dfa8eb4adce0a6231464a974aa417a101ad8fc66afc7
                                                                                    • Opcode Fuzzy Hash: 6e1162d01f955467a2a02b28fa6aaa6691fee687e06a7df26ed0d55fbcad74c2
                                                                                    • Instruction Fuzzy Hash: BD21E673D0D7968FF709E7BCD8615EA7BB0EF42215B0841B7D08ACA193DD28A80987C0
                                                                                    Function 00007FFAAC5F0985 Relevance: .3, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6dfc423dcbc2e741a7c38e75b69527106c798e7160bf406d183a2f960d89a01a
                                                                                    • Instruction ID: 04d2c91f4e605f72824af60b91b53bb36058ee4a76e8bd39b33401e6f81ba9b3
                                                                                    • Opcode Fuzzy Hash: 6dfc423dcbc2e741a7c38e75b69527106c798e7160bf406d183a2f960d89a01a
                                                                                    • Instruction Fuzzy Hash: 0FA12677B0C6268BD701BB7CE8516E9BBA0EF89371B048577C24ACB193CD34648A87D0
                                                                                    Function 00007FFAAC5F09D3 Relevance: .3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93b11100840281e1856c7c3a652dee27014d5d7a834c9bfec5862f1543228f87
                                                                                    • Instruction ID: 282901c5e3bdf88bbb25507d56505c6aa5f2863a2c5c1b2769648eb6d1d19e9f
                                                                                    • Opcode Fuzzy Hash: 93b11100840281e1856c7c3a652dee27014d5d7a834c9bfec5862f1543228f87
                                                                                    • Instruction Fuzzy Hash: AC910766B08A268BD700BB7CF4556E9BBA0EFC9371B448577D24ACB193CD24648687D0
                                                                                    Function 00007FFAAC5F0A08 Relevance: .3, Instructions: 305COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4371f3625d01185bc3e64a0dcfa41e93e712d6220fa50b03f2d98745864b6489
                                                                                    • Instruction ID: b1ec11f1ad6fd5e0aa5975dad54b2ca842e051b00689566d59f247ce4bcf0396
                                                                                    • Opcode Fuzzy Hash: 4371f3625d01185bc3e64a0dcfa41e93e712d6220fa50b03f2d98745864b6489
                                                                                    • Instruction Fuzzy Hash: 00812876B08A2A8BD700BB7CF8556E9BBA1EF89371B048577D14ECB193CD34648687C0
                                                                                    Function 00007FFAAC5F0A10 Relevance: .3, Instructions: 301COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 47d3b27a0509220270fd8733c546acb9d428163fb7722596cfd32276a706ab9c
                                                                                    • Instruction ID: 01abd341c61cdb9006fb8542ffca535b8ecdc176311e6ff063775ad8a69db879
                                                                                    • Opcode Fuzzy Hash: 47d3b27a0509220270fd8733c546acb9d428163fb7722596cfd32276a706ab9c
                                                                                    • Instruction Fuzzy Hash: F18128B6B08A268BD700BB7CF4556E97BA1EF89371B048577D14ECB293CD34648687C0
                                                                                    Function 00007FFAAC5F0A48 Relevance: .3, Instructions: 270COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 5db63be13db5e38962423777a319b5d2c786601313a24fdef221bcbedfaca45c
                                                                                    • Instruction ID: 980b9f5cc558d1f3ab50b07e04fdb6a3d3336ba88d4b6f5a5ae1b4998c03a3ac
                                                                                    • Opcode Fuzzy Hash: 5db63be13db5e38962423777a319b5d2c786601313a24fdef221bcbedfaca45c
                                                                                    • Instruction Fuzzy Hash: 0C711876B08A2A8BD700BB7CE4556EDBBA1EF89361B048576D14EC7293CD346486C7D0
                                                                                    Function 00007FFAAC5F0638 Relevance: .1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f13ebec2e29ce667cee21ecb6aea9215a8057182715c1bbb2ed293725805074d
                                                                                    • Instruction ID: 76504102850d23d00973903648e2922aa789dbb89358b0ab4e8ce888fb63cf53
                                                                                    • Opcode Fuzzy Hash: f13ebec2e29ce667cee21ecb6aea9215a8057182715c1bbb2ed293725805074d
                                                                                    • Instruction Fuzzy Hash: F431E261B18A490FE798EB2CD85AB78B6C6EB99311F0445BEE00EC32A3DD649C458380
                                                                                    Function 00007FFAAC5F0D21 Relevance: .1, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c55ac4f471d4c5957ff491faf38dc9c2a7639dee507f6f90c5d1ea65ccbb3e94
                                                                                    • Instruction ID: 61c8624db56929e05d42321458bba6f63aa7ced33f4fbb1204dcf4ad1be9a832
                                                                                    • Opcode Fuzzy Hash: c55ac4f471d4c5957ff491faf38dc9c2a7639dee507f6f90c5d1ea65ccbb3e94
                                                                                    • Instruction Fuzzy Hash: EF31C891B18A0A4FF748B7BC981A7BDA6D5EF98351F0485BAE00EC32D2DD289C0583C1
                                                                                    Function 00007FFAAC5F0BD3 Relevance: .1, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ce4a2c904e8824634c491ee23ade571198e224816731fae0aeee9c0178b03556
                                                                                    • Instruction ID: 6a22da0b4391f13ebb65f428cd24dad59860dd8ba8a1e7e9066a5187daaa3ea2
                                                                                    • Opcode Fuzzy Hash: ce4a2c904e8824634c491ee23ade571198e224816731fae0aeee9c0178b03556
                                                                                    • Instruction Fuzzy Hash: 0741C461A59B4E8FEB45EB78C4656EDBBF2FF89301F548479D00AD3292CD38A8058781
                                                                                    Function 00007FFAAC5F0858 Relevance: .1, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fdf9adbf0af2450be9c1538870c48ff966230fa0c22c14554c12bf9fe839d41c
                                                                                    • Instruction ID: 931af9213a74db56da4310a1a47c3f603d1567af37bc4809f349968953dbdc0f
                                                                                    • Opcode Fuzzy Hash: fdf9adbf0af2450be9c1538870c48ff966230fa0c22c14554c12bf9fe839d41c
                                                                                    • Instruction Fuzzy Hash: 2C31C861A9964D4FDB41EB38D4E59A97FB2EF89300F84C4B9D40AC7397DD386C088B81
                                                                                    Function 00007FFAAC5F0870 Relevance: .1, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6631d03fb7d10298d270b6a23be4dacbebb0762e89bb0c0a1f2d25d3686e3872
                                                                                    • Instruction ID: ef0d8870b144c8d38aad9789a657c2b8c217533189cbe0458f489aa02752290e
                                                                                    • Opcode Fuzzy Hash: 6631d03fb7d10298d270b6a23be4dacbebb0762e89bb0c0a1f2d25d3686e3872
                                                                                    • Instruction Fuzzy Hash: CD219861A9964D4FDB45EB38D4E59A9BFB2EF89300F84C4B9D40AC7396CD386D048B42
                                                                                    Function 00007FFAAC5F22C1 Relevance: .0, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000014.00000002.2244257541.00007FFAAC5F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5F0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_20_2_7ffaac5f0000_System User.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7e7fd97c9d761a7f560cb40002b80f5e9d721b2c031174c27864ad41366b3687
                                                                                    • Instruction ID: e223f1d3cb39b38a6244c0cbbebcd01180b899ce99ff692f605feaa2b60d9447
                                                                                    • Opcode Fuzzy Hash: 7e7fd97c9d761a7f560cb40002b80f5e9d721b2c031174c27864ad41366b3687
                                                                                    • Instruction Fuzzy Hash: 4501269090E7864FF789A7381C554317FE0CF92300B0844BAE88CC61D7DC08D98983C2